On Mon, Apr 03, 2006 at 10:32:57AM -0600, Al Stone wrote: > > As described in http://www.osreviews.net/reviews/devel/oprofile > > OProfile allows unprivileged users to profile all code on a > > system. This makes cryptographic services vulnerable to timing attacks > > (e.g. compromise of secret keys). > > I could be completely wrong. Would it be possible for you to > send me a demonstration of this scenario? If you wish, send it > to me directly if you don't wish to publicize the flaw any more > than necessary. >
I assume he's referring to the fact that 'opreport' is runnable by anyone. The most sensible way to work around this problem is to disable read permissions for the sample directory, I suppose. Or not do any profiling. regards john -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
