• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Passing pointers as UIDs | kernel<->userspace communication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Passing pointers as UIDs | kernel<->userspace communication

  • Subject: Re: Passing pointers as UIDs | kernel<->userspace communication
  • From: comex <email@hidden>
  • Date: Tue, 18 Sep 2012 17:48:11 -0400
On Tue, Sep 18, 2012 at 5:22 PM, Jean Suisse <email@hidden> wrote:
> - The validity of the structure is checked using the "magic" variable (a
> member of the structure set to a predefined value, as shown in TCP Log NKE
> example).

That's not sufficient: for an attacker to even know the value of the
heap pointer compromises KASLR, and it's not hard to arrange for
kernel memory to contain user-specified values in various
arrangements, so he may be able to get the value of text pointers, the
HMAC key used to keep App Sandbox secure, or even private data from
another app.

> However, it would require a fair bit of reverse engineering, since
> connection to the kext, thought open to any userspace app, requires the
> demanding app to authenticate itself first.
> The challenge response mechanism I use is not more difficult to crack than
> any other serial-key based authentication. But my app isn't that attractive,
> and isn't installed on that many computers to be worth the effort.
> I will make investigating this point a high priority.

There are a variety of possible threat models here, with varying
levels of attacker interest/experience (imagine if your app was known
to be installed on some political target's computer); but more
importantly, it's not like this is a fundamental tradeoff between
security and performance.  It's not hard to implement a hash table or
just an array, as I said, and have the cost of looking the structure
up be almost negligible compared to, say, the system call overhead, so
you should do so and avoid the entire security can of worms.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Passing pointers as UIDs | kernel<->userspace communication
      • From: Michael Smith <email@hidden>
    • Re: Passing pointers as UIDs | kernel<->userspace communication
      • From: comex <email@hidden>
References: 
 >Passing pointers as UIDs | kernel<->userspace communication (From: Jean Suisse <email@hidden>)
 >Re: Passing pointers as UIDs | kernel<->userspace communication (From: email@hidden)
 >Re: Passing pointers as UIDs | kernel<->userspace communication (From: Jean Suisse <email@hidden>)

  • Prev by Date: Re: Passing pointers as UIDs | kernel<->userspace communication
  • Next by Date: Re: Passing pointers as UIDs | kernel<->userspace communication
  • Previous by thread: Re: Passing pointers as UIDs | kernel<->userspace communication
  • Next by thread: Re: Passing pointers as UIDs | kernel<->userspace communication
  • Index(es):
    • Date
    • Thread