Hi! > > > Some of ways an attacker could bypass this protection: > > > Solution: There should be a LOCK pin on most processors that locks the > > > memory bus. The kernel module can lock the bus and proceed to > > > zero out all memory not used by the good kernels page tables. > > No. You can't assume you know about all memory. (And I think LOCK does > > not work the way you imagine it). Rogue second cpu could be hiding in > > videoram of PCI card, for example. > > You shouldn't need to know about all the memory. Insert a TLB entry to map > a page of virtual memory to the first page of physical memory. Zero it out. > Proceed to zero out every physical page of memory. Who cares if there is a > physical page there or not. You only have 4gb to go through. It may trash > some device detection though. BTW I forgot about trivial method to do this: put your rogue code into boot-prom of your network card. It is quite easy to do, and you can't zero ROM :-). > > Remove heatsink from the cpu. Watch your "trusted" program do > > single-bit errors from time to time. Have fun. > > Doh, I hadn't thought of that one ;) This is really the worst of all, since it happens pretty often by accidents. (You know, average live of cpu fan is 6 months or so.) Pavel -- The best software in life is free (not shareware)! Pavel GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:19 PDT