Posted by Rainer Weikusat on 05/02/07 07:45

Eric Sosman <Eric.Sosman@sun.com> writes:
> David T. Ashley wrote On 05/01/07 14:19,:
>> "Rainer Weikusat" <rweikusat@mssgmbh.com> wrote in message
>> news:87tzuwxypg.fsf@fever.mssgmbh.com...
>>
>>>"David T. Ashley" <dta@e3ft.com> writes:
>>>
>>>[...]
>>>
>>>
>>>>However, I was thinking that I could use the PHP proc_open() function:
>>>>
>>>>http://us.php.net/manual/en/function.proc-open.php
>>>>
>>>>to pass the information to the compiled C program's stdin and get
>>>>information back from stdout securely (without others being able to
>>>>eavesdrop).
>>>
>>>You could try something simple, like writing the key to a file only
>>>readable by someone with the 'correct' UID and pass the name of the
>>>file to the program via commandline argument.
>>
>>
>> Yeah, this may be simplest of all. Now that everyone has shattered my
>> vision of pipes as secure, this is possible also. If you have a UID/GID
>> adequate to read the file, then you have a UID/GID adequate to eavesdrop on
>> pipes as well.
>
> Yeah, but opening and reading a named file in the
> file system is noticeably easier than rummaging around
> in the address space of a process.

[...]

> As an attacker (not in real life, I hasten to add), I'd
> feel lots less exposed snooping in the file system than I
> would hunched over a gdb session.

If somebody is running processes with either your UID (or a more
priviledged one) on the machine that tries to 'attack' you, you are
toast. There is no need for a 'gdb session', just write a program that
attaches to the to-be-attacked process, use PTRACE_SYSCALL (Linux) to
stop it after each syscall and modifiy the running image to your
hearts content (like setting up a 'fake pipe' through the
eavesdropping program).

"I have taken great pains to be reasonably safe from stupid attackers"
doesn't sound that good.

[Back to original message]