On Mon, Jan 16, 2012 at 13:45, Greg Freemyer <greg.freem...@gmail.com>wrote:
> On Thu, Jan 12, 2012 at 12:00 PM, Jonathan Neuschäfer > <j.neuschae...@gmx.net> wrote: > > On Wed, Jan 11, 2012 at 12:52:33PM -0500, Scott Lovenberg wrote: > >> Real world example in C; I fixed a security bug in Samba that dealt with > >> this exact problem. Credential files were read to memory as the root > user > >> and then the memory was freed without being zeroed. A user could > therefore > >> read the contents of a file that they didn't have permission to read > >> because the whole thing was put in memory by a user that had permission > to > >> view the file. Someone clever could churn through memory and find the > >> credentials if they knew that the mount command was just run. > >> > >> I added a memset() to the end of the parsing function to zero out the > >> memory before freeing back to the OS. > > > > Could you please clarify how this "churning through memory" would work? > > > > Of course someone could find another security bug and access heap space, > > but that requires said other bug. Debuggers are also irrelevant to this, > > because you need certain parmissions to run a program through a > > debugger, and if you do that, you might also set a breakpoint in the > > function and catch the credentials when it's run. > > > > Swap disk are a real issue under some circumstances, though. > > A page containing sensitive data may be swapped out and not be over- > > written before an attacker can boot from an external medium (CD etc.) > > and peek through the swap disk. > > Boot CDs mean physical access. If the bad guy has physical access, all is > lost. > > === specifically > If you want to defend against reboots to a boot CD, then all of memory > is potential leak. > > http://citp.princeton.edu/research/memory/ > > My personal favorite is when they actually move the RAM chips from one > PC to another to get the data out of it. > > After removing power, they immediately spray freon (or something > similarly cold) on the RAM chips to stabilize them, then move them to > another PC and recover the content. > > I can't get the video to work right now, but here's a walk-thru with > photos. > > I quote: > === > We stored data in these memory modules, then cooled them, removed them > from the computer, and placed them in a container of liquid nitrogen > for an hour. After returning them to the computer, we found > practically no information had been lost. (Using liquid nitrogen would > be overkill for most attacks, since cheap, widely-available duster > spray would adequately cool the chips.) > === > > Greg > I should clarify (because someone asked), the memory that I was talking about wouldn't be allocatable until after the process that read it and freed it exited. -- Peace and Blessings, -Scott.
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies