Bugtraq mailing list archives

Re: Shared memory DoS's

From: multics () WIZVAX WIZVAX NET (Richard Shetron)
Date: Tue, 20 Jul 1999 23:00:35 -0400


Multics was designed with the entire system running in VM in the early
60's (the first boot was around 1969).  You never opened a file, you
asked the OS to give you the VM address of the start of the 'segment'
and the length of the segment.  Everything was done in VM.  Each 'user'
had their own tmp space and quota so if you ran out of your personal tmp,
you get stopped.

typical process for an editor to read a file:

get segment name from user
call OS to get address of first bit of segment.
allocate working segment.
substr(working segment,,lenght) = substr(segment to edit,,length);
edit file

Tops-20 had mapped memory segments before VMS was born.  It was called
PMAP back then (for Page Map).  I don't know if it had the same
vulnerability.

Howie Kaye

"Dick St.Peters" wrote:


Mike Perry writes:

So as it turns out that it is in fact possible to create a DoS condition by
requesting a truckload of shared mem, then triggering pagefaults in the entire
shared region.


Mapped memory segments have been susceptible to this since at least
the early days of VMS, which AFAIK was the first OS to implement
mapped memory (VMS used the term "mapped section").  I ran into this
by accident no later than 1982 while doing image processing on a VMS
system.  My processes run at the lowest possible priority (equivalent
to the highest possible niceness), would effectively shut down the
system until they completed.

VMS didn't have a lot of tools for analyzing what was happening, but a
few experiments quickly showed the culprit was page faulting.  Image
processing tends to step through memory sparsely.

Sorry - I no longer have an exploit :)

--
Dick St.Peters, stpeters () NetHeaven com
Gatekeeper, NetHeaven, Saratoga Springs, NY
Saratoga/Albany/Amsterdam/BoltonLanding/Cobleskill/Greenwich/
GlensFalls/LakePlacid/NorthCreek/Plattsburgh/...
    Oldest Internet service based in the Adirondack-Albany region



--
Richard Shetron  multics () wizvax net multics () acm rpi edu
                 What is the Meaning of Life?
There is no meaning,
It's just a consequence of complex carbon based chemistry; don't worry about it
The Super 76, "Free Aspirin and Tender Sympathy", Las Vegas Strip.

Current thread:

Re: Shared memory DoS's, (continued)
- Re: Shared memory DoS's Nicolas V. Chernyy (Jul 15)
  - Re: Shared memory DoS's Mike Perry (Jul 17)
- Mail relay vulnerability in RedHat 5.0, 5.1, 5.2 David Luyer (Jul 16)
  - Re: Mail relay vulnerability in RedHat 5.0, 5.1, 5.2 Ollivier Robert (Jul 19)
  - Re: Mail relay vulnerability in RedHat 5.0, 5.1, 5.2 Matt Dunn (Jul 22)
    - Re: Mail relay vulnerability in RedHat 5.0, 5.1, 5.2 Daniele Orlandi (Jul 24)
- Re: Shared memory DoS's Glynn Clements (Jul 16)
  - Re: Shared memory DoS's Mike Perry (Jul 16)
- Re: Shared memory DoS's Howard Kaye (Jul 19)
  - Samba 2.0.5 security fixes Andrew Tridgell (Jul 20)
  - Re: Shared memory DoS's Richard Shetron (Jul 20)
  - Delegate creates directories writable for anyone Olaf Seibert (Jul 21)
  - Administrivia Aleph One (Jul 22)
- SNMP communities in 3Com HiPer Arcs (maybe other 3Com products?) Jeff Mcadams (Jul 20)
- Correction to Microsoft Security Bulletin MS99-025 aleph1 () UNDERGROUND ORG (Jul 20)