PEM file opened without DIRECT I/O which makes private key readable by attacker exploiting MELTDOWN

Raphael S. Carvalho raphaelsc at scylladb.com
Sun Jan 7 06:57:00 AEDT 2018


On Sat, Jan 6, 2018 at 5:38 PM, Philipp Marek <philipp at marek.priv.at> wrote:

> I think we are possibly interested in switching to DIRECT IO (given that it
>> bypasses any caching system including page cache) when reading *.PEM file
>>
> Sorry, but this makes no sense.
> The data could just as well be read from the SSH process
> memory space.
>

I think that's actually not true. SSH process's stack and heap aren't
mapped/stored into the kernel space mapped in all user space programs, so
how come a malicious program running in victim's system could have access
to stack/heap memory of SSH process which is only mapped in its address
space? Please correct me if I'm wrong.


>
> Direct IO has some additional complexity; this may well
> be avoided.
>

Actually, it's only about adding a flag to open and making sure IO is DMA
aligned.


>
>
> It makes *zero* sense to panic now and start "hardening"
> [which direct IO wouldn't even be!] individual programs -
> if separate memory spaces are not available,
>    "all hope is lost".
>

I agree with this sentiment though, better to think it through and come up
with informed decisions, but I think this is possibly a direction worth
considering.


More information about the openssh-unix-dev mailing list