Ken Buchanan wrote:
>> I thought you had to have administrator access before you were
> If you took Joanna to mean 'User privileges' when she said
> 'user-mode', then you were mistaken. The opposite of user mode is
> kernel mode.
Yes, I think that would be my foot-in-mouth there. I misread the article,
misinterpreting privileges when it meant non-kernel mode.
>
>> I'm just wondering how flawed the implementation of the windows paging
>> model is
>> that it would allow for this kind of breach. The standard model I'm
>> familiar
>> with would simply flush the page from memory, and would not keep a
>> copy in the
>> external page-file, instead relying on the copy that already exists on
>> the disk.
>
> Can you explain this objection a little better? I understand Joanna's
> attack to imply that she is forcing OS code to be paged out of
> memory, meaning it is now on disk and no longer in physical memory.
> She modifies the paged-out code using raw disk writes, since
> sector-level access bypasses the file system's access control
> protection. Then, when the OS code is needed again, it is paged back
> into physical memory carrying a whatever little Easter Egg Joanna
> cared to hide in it.
Again, a slight silliness on my behalf - I was thinking that the modifications
were being made to the content of the page-file and not the binary on-disk, as
mentioned in the article:
This isn't simple for hackers to execute, however. "For the attack to succeed,
one needs to find a reliable way to force interesting kernel code to be paged
out, then find that code inside a page file and modify it. And finally, the
kernel needs to load that code (now modified) again into physical memory and
execute it," she says. "The proof-of-concept code I implemented solves all
those challenges allowing for very reliable exploitation."
I presume the flaw with the OS is that the code signing check only occurs once,
at driver load time, rather than every time any part of it gets paged in.
I've seen malicious cache page corruption on Solaris, where you corrupt a page
that is already loaded in memory, which does not require root access to work.
--
Pete +353 (87) 412 9576 [M]
The first time, it's a KLUDGE!
The second, a trick.
Later, it's a well-established technique!
-- Mike Broido, Intermetrics
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
