[11090] in bugtraq
Re: Shared memory DoS's
daemon@ATHENA.MIT.EDU (Richard Shetron)
Wed Jul 21 15:56:56 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19990721030035.10957.qmail@wizvax.wizvax.net>
Date: Tue, 20 Jul 1999 23:00:35 -0400
Reply-To: multics@wizvax.net
From: Richard Shetron <multics@WIZVAX.WIZVAX.NET>
X-To: howie@MS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3793A73B.1308DBF9@ms.com> from "Howard Kaye" at Jul 19,
99 06:31:23 pm
Multics was designed with the entire system running in VM in the early
60's (the first boot was around 1969). You never opened a file, you
asked the OS to give you the VM address of the start of the 'segment'
and the length of the segment. Everything was done in VM. Each 'user'
had their own tmp space and quota so if you ran out of your personal tmp,
you get stopped.
typical process for an editor to read a file:
get segment name from user
call OS to get address of first bit of segment.
allocate working segment.
substr(working segment,,lenght) = substr(segment to edit,,length);
edit file
> Tops-20 had mapped memory segments before VMS was born. It was called
> PMAP back then (for Page Map). I don't know if it had the same
> vulnerability.
>
> Howie Kaye
>
> "Dick St.Peters" wrote:
> >
> > Mike Perry writes:
> >
> > > So as it turns out that it is in fact possible to create a DoS condition by
> > > requesting a truckload of shared mem, then triggering pagefaults in the entire
> > > shared region.
> >
> > Mapped memory segments have been susceptible to this since at least
> > the early days of VMS, which AFAIK was the first OS to implement
> > mapped memory (VMS used the term "mapped section"). I ran into this
> > by accident no later than 1982 while doing image processing on a VMS
> > system. My processes run at the lowest possible priority (equivalent
> > to the highest possible niceness), would effectively shut down the
> > system until they completed.
> >
> > VMS didn't have a lot of tools for analyzing what was happening, but a
> > few experiments quickly showed the culprit was page faulting. Image
> > processing tends to step through memory sparsely.
> >
> > Sorry - I no longer have an exploit :)
> >
> > --
> > Dick St.Peters, stpeters@NetHeaven.com
> > Gatekeeper, NetHeaven, Saratoga Springs, NY
> > Saratoga/Albany/Amsterdam/BoltonLanding/Cobleskill/Greenwich/
> > GlensFalls/LakePlacid/NorthCreek/Plattsburgh/...
> > Oldest Internet service based in the Adirondack-Albany region
>
--
Richard Shetron multics@wizvax.net multics@acm.rpi.edu
What is the Meaning of Life?
There is no meaning,
It's just a consequence of complex carbon based chemistry; don't worry about it
The Super 76, "Free Aspirin and Tender Sympathy", Las Vegas Strip.
