Hi!
> Some of ways an attacker could bypass this protection:
> 4) Kernel wars! A SMP machine that boots an untrusted kernel. Have
> the APIC vector the attacking processor the timer interrupt then vector all
> other interrupts to the 'good' proc. The attacking proc then destroys
> the MP configuration table so the 'good' proc doesnt know it is an MP
> system. The attacking proc then tries to take over the system after X
> amount of time and steal the checksum/key.
> [It has been a few months since I've looked at x86 SMP]
> Solution: There should be a LOCK pin on most processors that locks the
> memory bus. The kernel module can lock the bus and proceed to
> zero out all memory not used by the good kernels page
> tables.
No. You can't assume you know about all memory. (And I think LOCK does
not work the way you imagine it). Rogue second cpu could be hiding in
videoram of PCI card, for example.
> 5) Hardware bus snooping. A PCI device on the memory bus to grab the
> checksum/key then give the key to another malicious machine.
> Solution: ???
[This is not really usefull attack, but it can be well used to screw
you]
Remove heatsink from the cpu. Watch your "trusted" program do
single-bit errors from time to time. Have fun.
Pavel
--
GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+
