Bugtraq mailing list archives
Re: Trusted process on an untrusted machine?
From: pavel () SUSE CZ (Pavel Machek)
Date: Thu, 20 Jan 2000 19:03:39 +0100
Hi!
Some of ways an attacker could bypass this protection: Solution: There should be a LOCK pin on most processors that locks the memory bus. The kernel module can lock the bus and proceed to zero out all memory not used by the good kernels page tables.No. You can't assume you know about all memory. (And I think LOCK does not work the way you imagine it). Rogue second cpu could be hiding in videoram of PCI card, for example.You shouldn't need to know about all the memory. Insert a TLB entry to map a page of virtual memory to the first page of physical memory. Zero it out. Proceed to zero out every physical page of memory. Who cares if there is a physical page there or not. You only have 4gb to go through. It may trash some device detection though.
BTW I forgot about trivial method to do this: put your rogue code into boot-prom of your network card. It is quite easy to do, and you can't zero ROM :-).
Remove heatsink from the cpu. Watch your "trusted" program do single-bit errors from time to time. Have fun.Doh, I hadn't thought of that one ;)
This is really the worst of all, since it happens pretty often by accidents. (You know, average live of cpu fan is 6 months or so.) Pavel -- The best software in life is free (not shareware)! Pavel GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG, (continued)
- Re: Hotmail security hole - injecting JavaScript using <IMG Andrew Pimlott (Jan 07)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
- Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
- Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
- Rh 6.1 initial root password encryption Ken Barber (Jan 20)
- Re: Rh 6.1 initial root password encryption Fabian Kroenner (Jan 22)
- Re: Crafted Packets Handling by Firewalls - FW-1 case Darren Reed (Jan 20)
- Microsoft Security Bulletin (MS00-005) Microsoft Product Security (Jan 17)
- Re: Microsoft Security Bulletin (MS00-005) bugtraq () NS DOOMSDAY COM (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Matt Davis (Jan 19)