Re: Fwd: Syscall implementation could lead to whether or not a file exists

To: debian-security@lists.debian.org
Subject: Re: Fwd: Syscall implementation could lead to whether or not a file exists
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Wed, 9 Apr 2003 21:45:36 -0300
Message-id: <[🔎] 20030410004536.GD3033@llama.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20030404181944.GB7982@zionlth.org>
References: <[🔎] 20030404181944.GB7982@zionlth.org>

On Fri, Apr 04, 2003 at 01:19:44PM -0500, Phillip Hofmeister wrote:
> Not that it is a huge vulnerability I am going to loose sleep over.
> Just thought I'd throw it out here for discussion.
> 
> ----- Forwarded message from Andrew Griffiths <andrewg@d2.net.au> -----
> 
> From: Andrew Griffiths <andrewg@d2.net.au>
> Subject: Syscall implementation could lead to whether or not a file exists

> 	By timing how long it takes for the system call to return, you
> 	can pretty tell whether or not the file exists, because the
> 	failure time is in my testing, three times shorter than if the
> 	file exists.

> [...]

> Fix:
> 
> 	No known fix exists. Not exactly sure whether a fix is
> 	appropiate, as the kernel is meant to be as fast as possible.

 Yeah, is it ever possible to defend against timing attacks without slowing
everything down to the slowest case?  Andrew says FreeBSD caches stuff:

> On some OS's (notably freebsd in my testing) it will store the results of
>into its cache (different to linux, in the sense that it throws off the
>algo above.). Thus, if you just create a file and time open()ing that, then
>compare it with a file that has been recently opened, you don't get a fair
>comparsision.

 But that wouldn't help when the cache misses.  Any time the access takes a
long time, you know the file exists (with reasonable, but not perfect,
certainty, because the extra delay could have been because of a hardware
interrupt of something.)  To defend against timing attacks by caching, you'd
need to make sure all the files you wanted to keep hidden were cached at all
times.  That makes the cache more than just a cache, since an attacker could
try to flush (or more accurately, pollute) a normal cache by creating tons
of files, or making a few really big files, or whatever is necessary to get
the files of interest out of the cache.

> Information is this email may be redistributed as long as the below 
> signature stays attached.

 The typo rendered this sentence meaningless, but I'm feeling charitable
today :)

> Thanks,
> Andrew Griffiths
> -- 
> Attention: Public floggings will continue until morale improves.
> 
> MidWay_/#melb-wireless licks txrxafk while his defenses are down.
> <MidWay_> Oh boy. That could have been taken out of context.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Reply to:

References:
- Fwd: Syscall implementation could lead to whether or not a file exists
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Re: DSA 282-1 and Bug #156937
Next by Date: unsubcribe
Previous by thread: Fwd: Syscall implementation could lead to whether or not a file exists
Next by thread: Debian Kernel's and FreeSwan
Index(es):
- Date
- Thread