[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20130723193943.GA6626@debjann.fritz.box>
Date: Tue, 23 Jul 2013 21:39:43 +0200
From: Jann Horn <jann@...jh.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Linux reveals IO timing data
There are multiple ways in which linux reveals IO timing data. Probably the
most interesting one is the field "voluntary_ctxt_switches" in
/proc/<pid>/status: It reveals how often the process has voluntarily caused
a context switch so far, and usually, a process does that when it's waiting
for something to happen (IO, a timer, ...). Many programs that interact with
the user at least sometimes just wait for the user to do something, they don't
do anything else. So, by polling this entry in procfs, we can find out when
exactly the user does IO – and to be able to do this, it's sufficient to have
an unprivileged account on the system, you don't need to own the process you're
monitoring or to be root.
Even more interesting is that often, input is handed down through a chain of
processes where different kinds of input cause different processes to become
active. For example, an xterm will show activity whenever a modifier key is
pressed or released. For normal keys, it will show activity twice when the key
is pressed down and another time when the key is released (I'm not entirely
sure about the reason for that). This means that when an unprivileged user e.g.
knows that you're typing a text, he can tell when you're typing an uppercase
letter. That might be even more interesting when you're typing in a password.
Also, he can tell how much you're typing, so he can e.g. find out the length
of a password (especially if he also watches for process spawns).
Also, there has been research about how input timing depends on which keys
you're pressing <http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf>:
> reveal a surprising amount of informa-
> tion on passwords and other text typed over SSH ses-
> sions (about 1 bit of information per character pair in
> the case of randomly chosen passwords)
So, a local, unprivileged attacker on a normal linux box could learn quite a
bit about what you're typing. For this, he only needs an intentionally-exposed
interface, and it'd be hard to lock this down reliably without impacting the
usability of tools that use it for whatever reason. In other words, removing
this would break backwards compatibility.
You might want to lock down your procfs, I guess...
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists