Re: Shared memory DoS's

From: Richard Shetron (multicsat_private)
Date: Tue Jul 20 1999 - 20:00:35 PDT

Next message: Olaf Seibert: "Delegate creates directories writable for anyone"

Previous message: Nobuo Miwa: "Re: IIS respond private address"
Maybe in reply to: Mike Perry: "Shared memory DoS's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Multics was designed with the entire system running in VM in the early
60's (the first boot was around 1969).  You never opened a file, you
asked the OS to give you the VM address of the start of the 'segment'
and the length of the segment.  Everything was done in VM.  Each 'user'
had their own tmp space and quota so if you ran out of your personal tmp,
you get stopped.

typical process for an editor to read a file:

get segment name from user
call OS to get address of first bit of segment.
allocate working segment.
substr(working segment,,lenght) = substr(segment to edit,,length);
edit file

> Tops-20 had mapped memory segments before VMS was born.  It was called
> PMAP back then (for Page Map).  I don't know if it had the same
> vulnerability.
>
> Howie Kaye
>
> "Dick St.Peters" wrote:
> >
> > Mike Perry writes:
> >
> > > So as it turns out that it is in fact possible to create a DoS condition by
> > > requesting a truckload of shared mem, then triggering pagefaults in the entire
> > > shared region.
> >
> > Mapped memory segments have been susceptible to this since at least
> > the early days of VMS, which AFAIK was the first OS to implement
> > mapped memory (VMS used the term "mapped section").  I ran into this
> > by accident no later than 1982 while doing image processing on a VMS
> > system.  My processes run at the lowest possible priority (equivalent
> > to the highest possible niceness), would effectively shut down the
> > system until they completed.
> >
> > VMS didn't have a lot of tools for analyzing what was happening, but a
> > few experiments quickly showed the culprit was page faulting.  Image
> > processing tends to step through memory sparsely.
> >
> > Sorry - I no longer have an exploit :)
> >
> > --
> > Dick St.Peters, stpetersat_private
> > Gatekeeper, NetHeaven, Saratoga Springs, NY
> > Saratoga/Albany/Amsterdam/BoltonLanding/Cobleskill/Greenwich/
> > GlensFalls/LakePlacid/NorthCreek/Plattsburgh/...
> >     Oldest Internet service based in the Adirondack-Albany region
>


--
Richard Shetron  multicsat_private multicsat_private
                 What is the Meaning of Life?
There is no meaning,
It's just a consequence of complex carbon based chemistry; don't worry about it
The Super 76, "Free Aspirin and Tender Sympathy", Las Vegas Strip.

Next message: Olaf Seibert: "Delegate creates directories writable for anyone"
Previous message: Nobuo Miwa: "Re: IIS respond private address"
Maybe in reply to: Mike Perry: "Shared memory DoS's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:51 PDT