Fred Cohen & Associates

Special Problems with Special Files

Copyright(c) Management Analytics, 1995 - All Rights Reserved

Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved

Problem:

Some of the special files in UNIX map into memory areas or DMA device areas. These are used by programs like Ps which access system areas that hold process tables, and Write which sends messages to all of the terminals. As a side effect, these areas are accessible by other programs.

For example, a program with access to `devkmem' can access kernel memory, and thus watch terminal IO buffers for Uids and passwords. With wwrite access, you can make arbitrary changes to memory while the system is in operation.

Prevention:

In order to reduce the likelihood of these attacks, many systems setup the Ps program as a setuid program owned by the superuser, so any user running Ps can access these areas from that process. They then protect `devkmem' so that only the superuser can access it, thus providing Ps service while preventing this attack.

Detection:

You can detect the ability to READ files by examining file protection bits.

Cure:

You can cure the problem by preventing it, but ultimately, we will continue to come across similar problems with time, and you will have to deal with them as they are discovered.

Problem:

Special files are device drivers, and as such, they may introduce very subtle problems. For example, suppose there is a DMA device for taking video input from a camera into the system and displaying information stored in memory on an output display. If the driver is improperly designed, we can send a DMA request to the device, specifying system areas for the input location, and overwriting the operating system.

Prevention:

The only way to prevent this problem is to be very careful when writing device drivers. In most systems, the drivers come with the system, so there is nothing you can do for prevention except limit the users who can access device drivers.

Detection:

There is no way to systematically detect this problem without a great deal of hardware and software expertise.

Cure:

The only cure to this sort of problem is prevention.