PaulDotCom mailing list archives
Re: ETag leaking inode info
From: Josh More <jmore () starmind org>
Date: Mon, 1 Oct 2012 17:06:29 -0500
On Mon, Oct 1, 2012 at 4:05 PM, Robin Wood <robin () digininja org> wrote:
On 1 October 2012 19:42, Josh More <jmore () starmind org> wrote:On Sat, Sep 29, 2012 at 3:27 PM, Robin Wood <robin () digininja org> wrote:On 28 September 2012 00:34, Josh More <jmore () starmind org> wrote:I do not disagree, but I am in a somewhat contrarian mood tonight. Might it be possible, in a ridiculously small number of circumstances, to use the inode number to begin building a map of the disk and thereby reduce the complexity of finding an encryption key after the server has been stolen? (You know, for all those times when someone breaks into a data center to steal a LAMP box ;)Can you explain more? The other way out things we came up with over a beer was monitoring it to work out how often files were changing and maybe using it to work out if other files were being changed due to the inode changing as files were rearranged due to optimisation. RobinI know that certain disk encryption technologies store the key in predictable locations on the hard disk. I don't do much work reversing crypto, so I can't speak in great detail about it, it's just something I ran across when comparing systems. But, if this is true on the system that's leaking inodes data, and you can determine a rate of change (as you noted in your beer meeting), you may be able to identify regions of the disk in which the key is unlikely to be stored. It's still a needle in a haystack problem, just a slightly smaller haystack. I don't think of it as a realistic attack in most scenarios, but it's theoretically interesting. Crypto attacks are often based on stacking mathematical weaknesses, of which this would be one.So on a severity level it could possibly be high but the technical effort required in exploiting it would be so high to make it almost impractical. Doesn't really justify much more than a low info disclosure mention in a report then.
Yes. In fact, if the server isn't running encryption, I'd just call it an Informational finding. If, however, the server has highly sensitive data, is relying on the disk encryption to protect it and is located on an open street surrounded by high tech thieves, it might warrant a High. Seriously, I don't think it's worth worrying about. -Josh More _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: ETag leaking inode info Josh More (Oct 01)
- Re: ETag leaking inode info Robin Wood (Oct 01)
- Re: ETag leaking inode info Josh More (Oct 01)
- Re: ETag leaking inode info Robin Wood (Oct 01)