Bugtraq mailing list archives
Re: Trusted process on an untrusted machine?
From: pavel () SUSE CZ (Pavel Machek)
Date: Wed, 19 Jan 2000 21:23:09 +0100
Hi!
Some of ways an attacker could bypass this protection: 4) Kernel wars! A SMP machine that boots an untrusted kernel. Have the APIC vector the attacking processor the timer interrupt then vector all other interrupts to the 'good' proc. The attacking proc then destroys the MP configuration table so the 'good' proc doesnt know it is an MP system. The attacking proc then tries to take over the system after X amount of time and steal the checksum/key. [It has been a few months since I've looked at x86 SMP] Solution: There should be a LOCK pin on most processors that locks the memory bus. The kernel module can lock the bus and proceed to zero out all memory not used by the good kernels page tables.
No. You can't assume you know about all memory. (And I think LOCK does not work the way you imagine it). Rogue second cpu could be hiding in videoram of PCI card, for example.
5) Hardware bus snooping. A PCI device on the memory bus to grab the checksum/key then give the key to another malicious machine. Solution: ???
[This is not really usefull attack, but it can be well used to screw you] Remove heatsink from the cpu. Watch your "trusted" program do single-bit errors from time to time. Have fun. Pavel -- GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG, (continued)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 05)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Hotmail security hole - injecting JavaScript using <IMG Metal Hurlant (Jan 05)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
- Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
- Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
- Rh 6.1 initial root password encryption Ken Barber (Jan 20)
- Re: Rh 6.1 initial root password encryption Fabian Kroenner (Jan 22)
- Re: Crafted Packets Handling by Firewalls - FW-1 case Darren Reed (Jan 20)
- Microsoft Security Bulletin (MS00-005) Microsoft Product Security (Jan 17)