While working on a project I learned that a process can
mmap() another process' address space (owned by the same
user) via /proc/pid/mem. Now it makes me wonder if there
is a way a process can prevent some other process from
accessing any of its address space. Not being able to do
so would open up a potential security hole that would
enable the superuser to extract the information that is
supposed to stay private by mmap()ing the address space
of an intresting process into its own and examining (and
possibly modifying) it.
While an evil superuser could do this in some other way
anyway (for example by substituting the original program
with a hacked version that loggs intresting information),
on a normal system, the superuser will not do a thing like
that. But if the system is compromised this feature opens
the intruder a whole new way of possibilities. since
no files need to be modified (which would trigger tripwire)
in order to get the thing done.
I can think of a whole range of possible attacks using
this, such as capturing user passwords by dumping the
login's address space or creating a virtually undetectable
backdoor by modifying (or even replacing) some system
process. This kind of attacks would not trivial ofcourse,
but instead of being nontrivial to implement I'd prefer
them not to be possible at all.
Can someone with more in-depth knowledge please shed a light
on this?
Andrej