[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerabilities in Synchronous IPC Designs
|
From: |
Jean-Charles Salzeber |
|
Subject: |
Re: Vulnerabilities in Synchronous IPC Designs |
|
Date: |
Mon, 2 Jun 2003 17:41:04 +0200 |
|
User-agent: |
Mutt/1.5.4i |
On Mon, Jun 02, 2003 at 13:29, Espen Skoglund wrote:
> Just had a quick glance at the paper. Here are some initial thoughts:
...
> o An L4 server would typically never use timeouts (i.e., it will use
> zero-timeouts) for message transfer, and the claim that timeouts
> pose a denial-of-service threat for servers is therefore dubious.
Well, I guess the author talk about the XferTimeout set in the TCR, not
the "ipc" timeout.
The security issue shown in this paper is:
| The attack proceeds by first implementing a client-side page fault
| handler that simply never waits for a page faultnotification. With
| this page fault handler in place, the client sends a string containing
| an undefined page to theshared server. The receiving server thread (in
| L4: task) is rendered inaccessable until the timeout expires.
| In consequence, well-behaved clients cannot invoke the server.
| Multithreading does not circumvent this attack. It simply requires
| that several duplicates of the attacking client beused. All of these
| duplicates can share in common a single defecting page fault handler.
This is exactly what is taken up in the L4 X2 ref manual:
| Pagefaults Three different types of pagefault can occur during ipc:
| pre-send, post-receive, and xfer pagefaults. Only xfer pagefault are
| critical from a security point of view. Fortunately, messages without
| strings will never raise xfer pagefaults and need thus no special
| pagefault provisions:
|
| ...
|
| - Xfer pagefaults: happen while the message is being transferred and
| both sender and receiver are involved. Therefore, xfer pagefaults are
| critical from a security perspective: If such a pagefault occurs in
| the receiver's space, the sender may be starved by a malicious
| receiver pager. An xfer pagefault in the sender's space and a
| malicious sender pager may starve the receiver. As such, xfer
| pagefaults are controlled by the minimum of sender's and receiver's
| xfer timeouts.
|
| However, xfer pagefaults can only happen when transferring strings.
| Send messages without strings or receive buffers without receive
| string buffers are guaranteed not to raise xfer pagefaults.
So the question is: Is there any way to avoid denial of service if a
malicious client such send messages?
Regards,
JC
- Vulnerabilities in Synchronous IPC Designs, Jean-Charles Salzeber, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Espen Skoglund, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs,
Jean-Charles Salzeber <=
- Re: Vulnerabilities in Synchronous IPC Designs, Niels Möller, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Espen Skoglund, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Marcus Brinkmann, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Espen Skoglund, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Marcus Brinkmann, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Espen Skoglund, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Marcus Brinkmann, 2003/06/02
- Re: Vulnerabilities in Synchronous IPC Designs, Andreas Haeberlen, 2003/06/03
- Re: Vulnerabilities in Synchronous IPC Designs, Marcus Brinkmann, 2003/06/03
- Re: Vulnerabilities in Synchronous IPC Designs, Niels Möller, 2003/06/03