lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090821140241.GB1337@ucw.cz>
Date:	Fri, 21 Aug 2009 16:02:41 +0200
From:	Pavel Machek <pavel@....cz>
To:	Theodore Tso <tytso@....edu>,
	David Wagner <daw-news@...berkeley.edu>,
	linux-kernel@...r.kernel.org
Subject: Re: Security: information leaks in /proc enable keystroke recovery

Hi!

> > (b) Keep /proc/$pid/wchan.  We suspect that it's possible this might
> > be usable for keystroke recovery, but we're not sure, and we do know
> > that blocking this entirely might annoy administrators, so rather than
> > blocking access entirely, apply a more lenient policy.  If the user
> > is not the owner of the process and is not root, allow up to about 10
> > accesses to /proc/$pid/wchan per, say, 10 minutes; if a user makes more
> > than 10 accesses per 10-minute period, insert random delays on the order
> > of a few hundred milliseconds into every access to /proc/$pid/wchan.
> > 
> > Notes: It is critical to do this by user, rather than by process;
> > otherwise a malicious user can fork a bazillion processes, each of which
> > reads /proc/$pid/wchan a constant number of times.  The "few hundred
> > milliseconds" comes from the fact that, for touch typists, typing two
> > keys with alternating hands typically takes something like 0-150ms,
> 
> I was going to suggest instead of doing it by user or by process,
> doing it globally; that is, *any* non-root process tries to access a
> particular task's wchan /proc file more than X accesses per Y minutes,
> we start inserting random delays.  Note that the "top" program by
> default will refresh the screen once every 3 seconds, so allowing at
> least 20 accesses per minute would be necessary to prevent "top" from
> getting hit by a pretty massive slowdown.
> 
> That should be fine, I think; even if someone were to query wchan once
> a second, it doesn't seem likely that would be enough to be able to
> carry out a keystroke timing attack.

It will still be complex accounting :-(. Is really wchan so useful?

> In addition, if you know that the user is entering a password at that
> point in time, simply looking to see whether the process is in state
> 'R' or 'S' might be enough to know when the keystrokes are being
> entered.  I might be willing to put that in the category, "We suspect
> that it's possible this might be usable for keystroke recovery, but
> we're not sure" --- but it would be a pretty strong suspicion.  As far
> as whether you could use WCHAN for keystroke recovery, I'd call that a
> near-certainty.
> 
> There are other timing channels I'd be wary of as well; for example,
> simply using stat on the pseudo-tty will record the last access time
> to a very high degree of accuracy:

/proc/interrupts ? various interfaces powertop uses?

I did not have chance to read the paper yet, but... does not ssh have
bad problem in that case?

								Pavel


-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ