Special Problems with Special Files
Special Problems with Special Files
Copyright(c) Management Analytics, 1995 - All Rights Reserved
Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved
Problem:
Some of the special files in UNIX map into memory areas or DMA
device areas. These are used by programs like Ps which access system
areas that hold process tables, and Write which sends messages to all
of the terminals. As a side effect, these areas are accessible by other
programs.
For example, a program with access to `devkmem' can access
kernel memory, and thus watch terminal IO buffers for Uids and
passwords. With wwrite access, you can make arbitrary changes to
memory while the system is in operation.
Prevention:
In order to reduce the likelihood of these attacks, many systems
setup the Ps program as a setuid program owned by the superuser,
so any user running Ps can access these areas from that process.
They then protect `devkmem' so that only the superuser can access it,
thus providing Ps service while preventing this attack.
Detection:
You can detect the ability to READ files by examining file
protection bits.
Cure:
You can cure the problem by preventing it, but ultimately, we
will continue to come across similar problems with time, and you will
have to deal with them as they are discovered.
Problem:
Special files are device drivers, and as such, they may
introduce very subtle problems. For example, suppose there is a DMA
device for taking video input from a camera into the system and
displaying information stored in memory on an output display. If the
driver is improperly designed, we can send a DMA request to the device,
specifying system areas for the input location, and overwriting the
operating system.
Prevention:
The only way to prevent this problem is to be very careful when
writing device drivers. In most systems, the drivers come with the
system, so there is nothing you can do for prevention except limit the
users who can access device drivers.
Detection:
There is no way to systematically detect this problem without a
great deal of hardware and software expertise.
Cure:
The only cure to this sort of problem is prevention.