From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 15 23:25:30 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1154C106568F for ; Sat, 15 Aug 2009 23:25:30 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-fx0-f205.google.com (mail-fx0-f205.google.com [209.85.220.205]) by mx1.freebsd.org (Postfix) with ESMTP id 899788FC15 for ; Sat, 15 Aug 2009 23:25:29 +0000 (UTC) Received: by fxm1 with SMTP id 1so1689072fxm.7 for ; Sat, 15 Aug 2009 16:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=71Q7qokrEp8fGdTeZvUslvLPUQkGDLMs91fQ/OpR09Q=; b=a7VWpgur6bvsYjjxTN/pTB+p6+Kn6WgosgzvOAMQYpV5t9LAhHP9WSO9soUX0KyJXD RozeMgGb9RG07YeA92rgCXhTqIb46X7Ut64KGc8NvswUPGAmW0mtVPgdoKOSJGDQA0k+ xSMmSKfPx3MesnzSvoghItppYemh6CPyBt5yQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=kwbbDrgZ2DYrsiJ/q1wv9lU98R7BupHdkaJjJywun5f4ZTdc+3cK3mewAiy0RTV60/ QWaCk1NIKDYBpdzP3l2cWLaeIVSTu9iQegfg79e/HbQYuZHrAmcnFDXUAyVdAo6Oqqj4 yZQy0J9MeTpJPH3jKMWv4Yu4TndRfqH4OqMEk= MIME-Version: 1.0 Received: by 10.86.20.8 with SMTP id 8mr1772745fgt.44.1250378728224; Sat, 15 Aug 2009 16:25:28 -0700 (PDT) In-Reply-To: <200908152221.n7FMLRuw005799@taverner.cs.berkeley.edu> References: <200908152221.n7FMLRuw005799@taverner.cs.berkeley.edu> Date: Sun, 16 Aug 2009 01:25:28 +0200 Message-ID: <6101e8c40908151625s52ad9b83ue061de3fab97fbf8@mail.gmail.com> From: Oliver Pinter To: David Wagner Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org, linux-kernel@vger.kernel.org Subject: Re: Security: information leaks in /proc enable keystroke recovery X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Aug 2009 23:25:30 -0000 On 8/16/09, David Wagner wrote: > At Usenix Security 2009, two researchers announced last week a new > security vulnerability in multi-user Linux systems. They demonstrated > that one user can, in many cases, recover partial information about > the keystrokes that another user types into applications running on > that system. For instance, they demonstrate how a malicious user can > recover partial information about SSH passwords typed by other users, > reducing the password search space by a factor of 250-2000x in > their experiments. Thus, this could facilitate password recovery. > > Question: Are there any plans to modify the Linux kernel to defend > against this kind of attack? > > The paper is here: > > http://www.usenix.org/events/sec09/tech/full_papers/zhang.pdf > > In a nutshell, they exploit the fact that many files in /proc are > world-readable yet contain sensitive information that can leak informatio= n > about inter-keystroke timings. For instance, /proc/$PID/stat reveals the > ESP and EIP registers of the associated process, and is world-readable. > /proc/pid/status is also mentioned as revealing information that could > be exploited in these attacks. > > Based on my understanding of their work, it sounds like some of > the information on those files should perhaps not be world-readable. > It's not clear to me that it's reasonable for the kernel to reveal ESP, > EIP, and other sensitive information about process behavior to everyone > on the same system. > > Are folks already aware of these vulnerabilities? Is there any work > underway to try to address the issues identified in the Usenix Security > paper? > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" i= n > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > [snip] 6.2 Information Leaks in the Procfs of Other UNIX-like Systems Besides Linux, most other UNIX-like systems also im- plement procfs. These implementations vary from case to case, and as a result, their susceptibilities to side- channel attacks also differ. Here we discuss such privacy risks on two systems, FreeBSD and OpenSolaris. FreeBSD manages its process =EF=AC=81les more cautiously than Linux12 : it puts all register values into the =EF=AC=81le /proc/pid/regs that can only be read by the owner of a process, which blocks the information used by our attack. However, we found that other informa- tion released by the procfs can lead to similar attacks. A prominent example is the system time reported by /proc/pid/status, a =EF=AC=81le open to every user. Fig- ure 11 shows the correlations between the time con- sumed by vim and the keystrokes it received, as ob- served in our research. This demonstrates that keystroke events within the process can be identi=EF=AC=81ed from the change of its system time, which makes keystroke eaves- dropping possible. A problem here is that we may not be able to detect special keys a user enters, for example, =E2=80=9CMOV CURSOR=E2=80=9D, which is determined from ESP/EIP in- formation on Linux. A possible solution is using the dis- crepancies of system-time increments triggered by dif- ferent keys being entered to =EF=AC=81ngerprint these individual keys. Further study of this technique is left to our future research. [/snip]