funsec mailing list archives
Re: Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection]
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 10 May 2010 13:56:44 +1200
Rich Kulawiec wrote:
I'm not qualified to evaluate this research on its technical merits, but I believe that some of you are.
It's a race attack against a classic TOCTTOU (pr. "tock-too"; time-of- check-to-time-of-use) vuln. The advisory's authors apparently don't know that terminology, but it's a class of security vulnerability that has been known for about as long as we've known about security vulnerabilities. IIRC (never actually laid eyes on the report myself) this is one of the categories in the (in)famous RISOS Project (Research In Secured Operating Systems) reports from the early 70s. The typical "fix" to avoid such possibilities is use of a critical section (it's why they were invented, I think) or to make special atomic functions that are effeectively chains of "smaller" functions. Neither is reasonable/possible here -- as I understand the advisory, the code that needs protection against this TOCTTOU can be arbitrarily pre-empted by the scheduler and it would (probably) take significant re-architecting of Windows to provide an atomic function for this special anti-malware purpose (and that would have to be made non-pre-emptible). The advisory's authors suggest they have a solution, but they only make that information available to their paying clients. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection] Rich Kulawiec (May 09)
- Re: Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection] Nick FitzGerald (May 09)
- <Possible follow-ups>
- Re: Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection] Juha-Matti Laurio (May 12)