Re: Security: information leaks in /proc enable keystroke recovery

[Oliver Pinter]

On 8/16/09, David Wagner <daw@xxxxxxxxxxxxxxx> wrote:
> At Usenix Security 2009, two researchers announced last week a new
> security vulnerability in multi-user Linux systems.  They demonstrated
> that one user can, in many cases, recover partial information about
> the keystrokes that another user types into applications running on
> that system.  For instance, they demonstrate how a malicious user can
> recover partial information about SSH passwords typed by other users,
> reducing the password search space by a factor of 250-2000x in
> their experiments.  Thus, this could facilitate password recovery.
>
> Question: Are there any plans to modify the Linux kernel to defend
> against this kind of attack?
>
> The paper is here:
>
> http://www.usenix.org/events/sec09/tech/full_papers/zhang.pdf
>
> In a nutshell, they exploit the fact that many files in /proc are
> world-readable yet contain sensitive information that can leak information
> about inter-keystroke timings.  For instance, /proc/$PID/stat reveals the
> ESP and EIP registers of the associated process, and is world-readable.
> /proc/pid/status is also mentioned as revealing information that could
> be exploited in these attacks.
>
> Based on my understanding of their work, it sounds like some of
> the information on those files should perhaps not be world-readable.
> It's not clear to me that it's reasonable for the kernel to reveal ESP,
> EIP, and other sensitive information about process behavior to everyone
> on the same system.
>
> Are folks already aware of these vulnerabilities?  Is there any work
> underway to try to address the issues identified in the Usenix Security
> paper?
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

[snip]
6.2 Information Leaks in the Procfs of
       Other UNIX-like Systems
Besides Linux, most other UNIX-like systems also im-
plement procfs. These implementations vary from case
to case, and as a result, their susceptibilities to side-
channel attacks also differ. Here we discuss such privacy
risks on two systems, FreeBSD and OpenSolaris.
   FreeBSD manages its process ïles more cautiously
than Linux12 : it puts all register values into the ïle
/proc/pid/regs that can only be read by the owner
of a process, which blocks the information used by
our attack. However, we found that other informa-
tion released by the procfs can lead to similar attacks.
A prominent example is the system time reported by
/proc/pid/status, a ïle open to every user. Fig-
ure 11 shows the correlations between the time con-
sumed by vim and the keystrokes it received, as ob-
served in our research. This demonstrates that keystroke
events within the process can be identiïed from the
change of its system time, which makes keystroke eaves-
dropping possible. A problem here is that we may not
be able to detect special keys a user enters, for example,
âMOV CURSORâ, which is determined from ESP/EIP in-
formation on Linux. A possible solution is using the dis-
crepancies of system-time increments triggered by dif-
ferent keys being entered to ïngerprint these individual
keys. Further study of this technique is left to our future
research.
[/snip]
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/