On Tue, Sep 18, 2012 at 5:22 PM, Jean Suisse <jean.lists@gmail.com> wrote:

- The validity of the structure is checked using the "magic" variable (a member of the structure set to a predefined value, as shown in TCP Log NKE example).

That's not sufficient: for an attacker to even know the value of the heap pointer compromises KASLR, and it's not hard to arrange for kernel memory to contain user-specified values in various arrangements, so he may be able to get the value of text pointers, the HMAC key used to keep App Sandbox secure, or even private data from another app.

However, it would require a fair bit of reverse engineering, since connection to the kext, thought open to any userspace app, requires the demanding app to authenticate itself first. The challenge response mechanism I use is not more difficult to crack than any other serial-key based authentication. But my app isn't that attractive, and isn't installed on that many computers to be worth the effort. I will make investigating this point a high priority.

There are a variety of possible threat models here, with varying levels of attacker interest/experience (imagine if your app was known to be installed on some political target's computer); but more importantly, it's not like this is a fundamental tradeoff between security and performance. It's not hard to implement a hash table or just an array, as I said, and have the cost of looking the structure up be almost negligible compared to, say, the system call overhead, so you should do so and avoid the entire security can of worms. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com