| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Aug 2009 16:02:41 +0200 From: Pavel Machek <pavel@....cz> To: Theodore Tso <tytso@....edu>, David Wagner <daw-news@...berkeley.edu>, linux-kernel@...r.kernel.org Subject: Re: Security: information leaks in /proc enable keystroke recovery Hi! > > (b) Keep /proc/$pid/wchan. We suspect that it's possible this might > > be usable for keystroke recovery, but we're not sure, and we do know > > that blocking this entirely might annoy administrators, so rather than > > blocking access entirely, apply a more lenient policy. If the user > > is not the owner of the process and is not root, allow up to about 10 > > accesses to /proc/$pid/wchan per, say, 10 minutes; if a user makes more > > than 10 accesses per 10-minute period, insert random delays on the order > > of a few hundred milliseconds into every access to /proc/$pid/wchan. > > > > Notes: It is critical to do this by user, rather than by process; > > otherwise a malicious user can fork a bazillion processes, each of which > > reads /proc/$pid/wchan a constant number of times. The "few hundred > > milliseconds" comes from the fact that, for touch typists, typing two > > keys with alternating hands typically takes something like 0-150ms, > > I was going to suggest instead of doing it by user or by process, > doing it globally; that is, *any* non-root process tries to access a > particular task's wchan /proc file more than X accesses per Y minutes, > we start inserting random delays. Note that the "top" program by > default will refresh the screen once every 3 seconds, so allowing at > least 20 accesses per minute would be necessary to prevent "top" from > getting hit by a pretty massive slowdown. > > That should be fine, I think; even if someone were to query wchan once > a second, it doesn't seem likely that would be enough to be able to > carry out a keystroke timing attack. It will still be complex accounting :-(. Is really wchan so useful? > In addition, if you know that the user is entering a password at that > point in time, simply looking to see whether the process is in state > 'R' or 'S' might be enough to know when the keystrokes are being > entered. I might be willing to put that in the category, "We suspect > that it's possible this might be usable for keystroke recovery, but > we're not sure" --- but it would be a pretty strong suspicion. As far > as whether you could use WCHAN for keystroke recovery, I'd call that a > near-certainty. > > There are other timing channels I'd be wary of as well; for example, > simply using stat on the pseudo-tty will record the last access time > to a very high degree of accuracy: /proc/interrupts ? various interfaces powertop uses? I did not have chance to read the paper yet, but... does not ssh have bad problem in that case? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists