[13449] in bugtraq
Re: Trusted process on an untrusted machine?
daemon@ATHENA.MIT.EDU (Mike Frantzen)
Thu Jan 20 16:15:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200001192100.QAA27523@expert.cc.purdue.edu>
Date: Wed, 19 Jan 2000 16:00:36 -0500
Reply-To: Mike Frantzen <frantzen@EXPERT.CC.PURDUE.EDU>
From: Mike Frantzen <frantzen@EXPERT.CC.PURDUE.EDU>
X-To: Pavel Machek <pavel@suse.cz>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000119212309.C21802@atrey.karlin.mff.cuni.cz> from Pavel
Machek at "Jan 19, 2000 09:23:09 pm"
> > Some of ways an attacker could bypass this protection:
> > Solution: There should be a LOCK pin on most processors that locks the
> > memory bus. The kernel module can lock the bus and proceed to
> > zero out all memory not used by the good kernels page tables.
> No. You can't assume you know about all memory. (And I think LOCK does
> not work the way you imagine it). Rogue second cpu could be hiding in
> videoram of PCI card, for example.
You shouldn't need to know about all the memory. Insert a TLB entry to map
a page of virtual memory to the first page of physical memory. Zero it out.
Proceed to zero out every physical page of memory. Who cares if there is a
physical page there or not. You only have 4gb to go through. It may trash
some device detection though.
As to the rogue CPU running in the video card. IIRC, the video ram is mapped
right into the cpus address space so it should be zeroed with the rest of it.
If the memory isn't in the address space, it would be a feat to get the
processor to execute it. I don't know if video cards can be told to copy
video ram back into main memory though. (I haven't done any demo coding since
I was 16)
If you can't lock the bus... Well, thats where the kernel wars come in.
Hehe, one kernel fighting to zero out memory and the other fighting to copy
itself to a recently zero'd page. That just sounds cool.
> Remove heatsink from the cpu. Watch your "trusted" program do
> single-bit errors from time to time. Have fun.
Doh, I hadn't thought of that one ;)
later,
.mike
