Bugtraq mailing list archives
Re: Trusted process on an untrusted machine?
From: frantzen () EXPERT CC PURDUE EDU (Mike Frantzen)
Date: Wed, 19 Jan 2000 16:00:36 -0500
Some of ways an attacker could bypass this protection: Solution: There should be a LOCK pin on most processors that locks the memory bus. The kernel module can lock the bus and proceed to zero out all memory not used by the good kernels page tables.No. You can't assume you know about all memory. (And I think LOCK does not work the way you imagine it). Rogue second cpu could be hiding in videoram of PCI card, for example.
You shouldn't need to know about all the memory. Insert a TLB entry to map a page of virtual memory to the first page of physical memory. Zero it out. Proceed to zero out every physical page of memory. Who cares if there is a physical page there or not. You only have 4gb to go through. It may trash some device detection though. As to the rogue CPU running in the video card. IIRC, the video ram is mapped right into the cpus address space so it should be zeroed with the rest of it. If the memory isn't in the address space, it would be a feat to get the processor to execute it. I don't know if video cards can be told to copy video ram back into main memory though. (I haven't done any demo coding since I was 16) If you can't lock the bus... Well, thats where the kernel wars come in. Hehe, one kernel fighting to zero out memory and the other fighting to copy itself to a recently zero'd page. That just sounds cool.
Remove heatsink from the cpu. Watch your "trusted" program do single-bit errors from time to time. Have fun.
Doh, I hadn't thought of that one ;) later, .mike
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG, (continued)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
- Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
- Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
- Rh 6.1 initial root password encryption Ken Barber (Jan 20)
- Re: Rh 6.1 initial root password encryption Fabian Kroenner (Jan 22)
- Re: Crafted Packets Handling by Firewalls - FW-1 case Darren Reed (Jan 20)
- Microsoft Security Bulletin (MS00-005) Microsoft Product Security (Jan 17)
- Re: Microsoft Security Bulletin (MS00-005) bugtraq () NS DOOMSDAY COM (Jan 19)