5

Horn: Racing against the clock

 2 years ago
source link: https://lwn.net/Articles/889183/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Horn: Racing against the clock

[Posted March 24, 2022 by corbet]
Jann Horn describes in great detail the process he went through to exploit a tiny race window in the kernel.

Luckily for us, the race window contains the first few memory accesses to the struct file; therefore, by making sure that the struct file is not present in the fastest CPU caches, we can widen the race window by as much time as the memory accesses take. The standard way to do this is to use an eviction pattern / eviction set; but instead we can also make the cache line dirty on another core.

(Log in to post comments)

Horn: Racing against the clock

Posted Mar 25, 2022 16:22 UTC (Fri) by tamiko (subscriber, #115350) [Link]

I find these investigations into "hard to exploit" security bugs incredibly fascinating.

Intuitively one would always say that it is next to impossible to exploit thing like (in this case) "a race window of 12 instructions", or (from a while ago) "an out-of-bounds write of a single character NULL"... and one is consistently proven wrong. It seems that every bug can be turned into an exploitable security vulnerability with enough energy and dedication.

Horn: Racing against the clock

Posted Mar 25, 2022 17:47 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link]

Intuitively one would always say that it is next to impossible to exploit

I think "next to impossible" is just another way of saying "possible but really hard". At the same time, there's a strong element of reduced expectations working in your favor trying to exploit something this small. If you can't exploit the next to impossible bug, nobody thinks anything of it; it was just a bug that was too tiny. If you can exploit it, people are impressed by your cleverness in exploiting such a tiny thing.

Horn: Racing against the clock

Posted Mar 25, 2022 20:44 UTC (Fri) by epa (subscriber, #39769) [Link]

Linux could have a system call which slows down other processes or kernel threads to make race conditions easier to exploit. Then when writing a proof of concept, you could use that call to demonstrate the exploit exists in theory -- which should be enough to get it fixed. You might want to do the extra work to get it running without help from the slowdown() call, or you might be content to leave it at that.

In production systems, I dare say slowdown() woud be disabled, or restricted to the root user.

Horn: Racing against the clock

Posted Mar 25, 2022 23:36 UTC (Fri) by marcH (subscriber, #57642) [Link]

Absolutely. In fact any concurrent system should let you easily insert delays in well chosen places for testing purposes.

Concurrency is one of the most difficult things to deal with in C, so it should be easier to test than the rest, not harder.

Horn: Racing against the clock

Posted Mar 26, 2022 0:55 UTC (Sat) by cypherpunks2 (guest, #152408) [Link]

It would be better to support it through an interface in debugfs than to add a new syscall. Actually, can ftrace be made to do something like this?

Horn: Racing against the clock

Posted Mar 26, 2022 5:00 UTC (Sat) by milesrout (subscriber, #126894) [Link]

Fascinating

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK