From RISKS: secret scrubbing code removed by optimizers

Darren Tucker dtucker at zip.com.au
Sat Nov 9 11:21:28 EST 2002


Thomas Binder wrote:
> The question is, though, why someone having access rights to read
> /dev/kmem or swap space wouldn't rather install a trojaned or
> otherwise modified sshd instead to snoop credentials.

A couple of reasons:

1) Malloc doesn't clear memory. Some platforms clear the memory before
malloc gets it, but some don't. On the ones that don't an unprivileged
user can just keep malloc'ing memory and looking for something
interesting.

2) If I break into your box today, I could scan /dev/kmem and
potentially find a password you typed in last week. I might have to wait
weeks or months before you get bitten by a trojaned sshd.

3) In the worst case the memory containing the password could get
swapped out and remain on disk for *forever*. If I broke into your box
today I might find a password you entered last year.

These are long shots, but are you willing to bet your password on it?
Every time you enter it?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list