[PATCH] UBUNTU: SAUCE: ptrace: restrict ptrace scope to children

Scott James Remnant scott at ubuntu.com
Thu May 13 09:13:27 BST 2010


On Wed, 2010-05-12 at 15:22 -0700, Kees Cook wrote:

> As Linux grows in popularity, it will become a growing target for
> malware. One particularly troubling weakness of the Linux process
> interfaces is that a single user is able to examine the memory and
> running state of any of their processes. For example, if one application
> (e.g. Empathy) was compromised, it would be possible for an attacker to
> attach to other processes (e.g. Firefox) to extract additional credentials
> and continue to expand the scope of their attack.
> 
This is completely possible anyway, even with your patch.  I would do
the following:

 - send SIGSTOP to the compositor to disable screen updates

 - send command to firefox to save browser state and exit
   (or SIGKILL)

 - fork/exec firefox again (will reappear on the screen as it was
   before)

 - firefox is now your child, ptrace

 - send SIGCONT to the compositor to resume screen updates

Firefox is now being ptraced, but the user never knows what happens.


So your patch adds inconvenience for no additional security, thus I
object to this.

Scott
-- 
Scott James Remnant
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/kernel-team/attachments/20100513/33726f5a/attachment.pgp 


More information about the kernel-team mailing list