[cap-talk] Avoid overconfidence (was: Any hope in RSA 2008?)

Eric Northup Eric.Northup at microsoft.com
Sat Apr 5 16:51:39 CDT 2008 

On Sat Apr 5 14:09:47, Bill Frantz wrote:
> Can some one describe Eric's attack, or point to a description?

What I generally consider to be the KK flaws I identified (I make no claim to have been the first), were:

1) A reliable (overt) communication channel between Domains which have shared but (nominally) read-only keys to a Segment.  The problem is a subtle interaction between the definition of a "valid path" to the Segment walker and the page table sharing mechanism.  To bound traversal and avoid the need to explicitly detect cycles in the Segment graph, there was a maximum number of Nodes that would be traversed before the walker gave up.  The decision algorithm for whether it was valid to share page table substructure neither encoded nor considered this information, which caused the validity of a path to be not-deterministic (depending on which other entities have already encached sub-paths into valid page tables).  This particular flaw was jointly discovered by Scott, Shap, and myself; I identified the mechanism to exploit it.  This was discussed at http://www.eros-os.org/pipermail/eros-arch/2005-September/thread.html

2) A potential lack of forward progress that could be triggered by a maliciously constructed Domain where the capability register Node (for example) is also referenced as a Segment inside the address space.  Should the program counter ever overlap said Segment, the Node would oscillate between prepared-as-Domain-constituent / prepared-as-Segment.  This was described at a thread rooted at:  http://www.eros-os.org/pipermail/coyotos-dev/2005-January/000025.html

I do not consider the second to be a particularly serious problem -- in fact, I later found a KK note reserving an error code for that very condition; so it's at worst an implementation and not an architectural flaw, and perhaps the condition was even checked.

The first problem, however, would cause the Factory to yield false positive reports of confinement.

I assume MarkM's characterization that
> The bug Eric Northup found in the KeyKOS kernel design was also
> essentially unexploitable
referred to the second flaw (which required the attacker to posses the DomainTool, or to have the cooperation of an entity that did).  The transmitting-data-over-a-read-only-Segment capability flaw was fairly straightforward to attack.

-Eric

More information about the cap-talk mailing list