PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ETag leaking inode info

From: Robin Wood <robin () digininja org>
Date: Mon, 1 Oct 2012 22:05:08 +0100
On 1 October 2012 19:42, Josh More <jmore () starmind org> wrote:

On Sat, Sep 29, 2012 at 3:27 PM, Robin Wood <robin () digininja org> wrote:

On 28 September 2012 00:34, Josh More <jmore () starmind org> wrote:

I do not disagree, but I am in a somewhat contrarian mood tonight.

Might it be possible, in a ridiculously small number of circumstances,
to use the inode number to begin building a map of the disk and
thereby reduce the complexity of finding an encryption key after the
server has been stolen?  (You know, for all those times when someone
breaks into a data center to steal a LAMP box ;)


Can you explain more?

The other way out things we came up with over a beer was monitoring it
to work out how often files were changing and maybe using it to work
out if other files were being changed due to the inode changing as
files were rearranged due to optimisation.

Robin


I know that certain disk encryption technologies store the key in
predictable locations on the hard disk. I don't do much work reversing
crypto, so I can't speak in great detail about it, it's just something
I ran across when comparing systems.  But, if this is true on the
system that's leaking inodes data, and you can determine a rate of
change (as you noted in your beer meeting), you may be able to
identify regions of the disk in which the key is unlikely to be
stored.

It's still a needle in a haystack problem, just a slightly smaller haystack.

I don't think of it as a realistic attack in most scenarios, but it's
theoretically interesting. Crypto attacks are often based on stacking
mathematical weaknesses, of which this would be one.



So on a severity level it could possibly be high but the technical
effort required in exploiting it would be so high to make it almost
impractical.

Doesn't really justify much more than a low info disclosure mention in
a report then.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: