Which approach should be taken for audit subsystem

Pawel Jakub Dawidek nick at garage.freebsd.pl
Fri Apr 11 22:42:54 GMT 2003 

On Fri, Apr 11, 2003 at 01:36:18PM -0400, Robert Watson wrote:
+> > What is your opinion about this? 
+> 
+> Well, I believe it's still raceable.  Consider the following scenario:
+> 
+> A process creates two threads:
[...]

Yes, window is smaller, but it is still there.

+> When I talked with Neils about this vulnerability, he suggested a few
+> possible workarounds:
+> 
+> (1) Write out the string to the stack gap in process memory, and randomize
+>     the location.  This can be raced, but it involved more work.
+> 
+> (2) Use VM tricks to prevent the page holding the source from being
+>     modified.  This would prevent the attack, but it might also break
+>     other things, including if the system call was intended to write back
+>     out to the same memory, or adjacent memory, or if other threads assume
+>     they can modify that memory.

For me this one is the best one.
Why?
I allocate page(s) for argument _only_ if cerb's policy is trying to check
syscall argument. Then I'm coping only this argument to newly created page
and I'm setting protection on this page to read-only.
In this case there should be no problem with arguments that are back-buffer,
becuase those arguments shouldn't be checked (what for?), so shouldn't be
copied to new pages.
When argument is two-way buffer there is a problem, yes.
I'm not sure if copyout(9) respects vm pages flags, if not, we could allocate
memory for argument in newly created place (read-only), call syscall and
copy this argument to old place before we will get back to userland, but
after syscall was called.

+> Having done several wrapper-derived security modules, one of the big
+> design requirements for the MAC Framework was that it avoid that sort of
+> race, as well as be more locking friendly for kernel locking.  I talk
+> about this a fair amount in the DISCEX paper, and a bit in the FREENIX
+> 2003 paper.

I'll try to find them. Thanks!

-- 
Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/trustedbsd-audit/attachments/20030412/967ce25a/attachment.bin

More information about the trustedbsd-audit mailing list