[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in Synchronous IPC Designs

From: Jean-Charles Salzeber
Subject: Re: Vulnerabilities in Synchronous IPC Designs
Date: Mon, 2 Jun 2003 17:41:04 +0200
User-agent: Mutt/1.5.4i

On Mon, Jun 02, 2003 at 13:29, Espen Skoglund wrote:
> Just had a quick glance at the paper.  Here are some initial thoughts:
>   o An L4 server would typically never use timeouts (i.e., it will use
>     zero-timeouts) for message transfer, and the claim that timeouts
>     pose a denial-of-service threat for servers is therefore dubious.
Well, I guess the author talk about the XferTimeout set in the TCR, not
the "ipc" timeout.

The security issue shown in this paper is:
| The attack proceeds by first implementing a client-side page fault
| handler that simply never waits for a page faultnotification. With 
| this page fault handler in place, the client sends a string containing
| an undefined page to theshared server. The receiving server thread (in
| L4: task) is rendered inaccessable until the timeout expires. 
| In consequence, well-behaved clients cannot invoke the server.
| Multithreading does not circumvent this attack. It simply requires
| that several duplicates of the attacking client beused. All of these 
| duplicates can share in common a single defecting page fault handler.

This is exactly what is taken up in the L4 X2 ref manual:
| Pagefaults Three different types of pagefault can occur during ipc:
| pre-send, post-receive, and xfer pagefaults. Only xfer pagefault are
| critical from a security point of view. Fortunately, messages without
| strings will never raise xfer pagefaults and need thus no special
| pagefault provisions:
| ...
| - Xfer pagefaults: happen while the message is being transferred and
| both sender and receiver are involved. Therefore, xfer pagefaults are
| critical from a security perspective: If such a pagefault occurs in
| the receiver's space, the sender may be starved by a malicious
| receiver pager. An xfer pagefault in the sender's space and a
| malicious sender pager may starve the receiver. As such, xfer 
| pagefaults are controlled by the minimum of sender's and receiver's
| xfer timeouts. 
| However, xfer pagefaults can only happen when transferring strings. 
| Send messages without strings or receive buffers without receive
| string buffers are guaranteed not to raise xfer pagefaults.

So the question is: Is there any way to avoid denial of service if a
malicious client such send messages?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]