Posted by Eric Sosman on 05/01/07 19:20

David T. Ashley wrote On 05/01/07 14:19,:
> "Rainer Weikusat" <rweikusat@mssgmbh.com> wrote in message
> news:87tzuwxypg.fsf@fever.mssgmbh.com...
>
>>"David T. Ashley" <dta@e3ft.com> writes:
>>
>>[...]
>>
>>
>>>However, I was thinking that I could use the PHP proc_open() function:
>>>
>>>http://us.php.net/manual/en/function.proc-open.php
>>>
>>>to pass the information to the compiled C program's stdin and get
>>>information back from stdout securely (without others being able to
>>>eavesdrop).
>>
>>You could try something simple, like writing the key to a file only
>>readable by someone with the 'correct' UID and pass the name of the
>>file to the program via commandline argument.
>
>
> Yeah, this may be simplest of all. Now that everyone has shattered my
> vision of pipes as secure, this is possible also. If you have a UID/GID
> adequate to read the file, then you have a UID/GID adequate to eavesdrop on
> pipes as well.

Yeah, but opening and reading a named file in the
file system is noticeably easier than rummaging around
in the address space of a process. Can be done more
surreptitiously, too: I just have a little program that
sits around and waits for files to appear, then opens
and reads them as promptly as it can. Yes, some of them
will escape my notice -- but I'll get a steady trickle.

Meanwhile, attaching a debugger to a process that's
delivering a service has an unfortunate tendency to slow
down the service, or even to pause it for macroscopic
time. (The impact of truss and such isn't too bad, but
if you encrypt the traffic on the pipe the attacker is
going to need more than truss can reveal.) When your help
desk phones start ringing with folks complaining that they
can't log in, somebody's likely to take a look at what's
wrong on the authentication server, and there's the attacker
running gdb ...

As an attacker (not in real life, I hasten to add), I'd
feel lots less exposed snooping in the file system than I
would hunched over a gdb session.

Besides: I don't think I'd bother with your pipes or
temp files or shared memory or whatever else, at least not
for my first attempt. No, I'd go after the database with
which you associate user IDs to FOB keys. At least, that's
where I'd begin, until and unless it proved sufficiently
armored against my depraved schemes.

--
Eric.Sosman@sun.com

• Next in forum: dynamic checkboxes from mysql table
• Prev in forum: Re: Programming PHP offline
• Thread view: Re: Security of Unix Pipes (with Application Details)

[Reply to this message]