disclaimer: I'll probably edit this later, but I wanted to write it out before I forget 
When a program is running, it is sitting somewhere in memory (ram, unless it got paged to disk). If memory wasn't protected, I could just read its data, and be done. However, with "protected" mode, I still think there is a security problem (at least the way I understand it).
The goal is to read each person's password as he logs in. For simplicity's sake, say init, login, and CThos_exploit are the only things running (plus whatever you would need to get another console for the victim to log in on). From one process it is impossible to address the memory of another process, in theory. CThos_exploit would allocate however much physical ram is available on the computer (just for simplicity. This might work with less, or more depending on how swap works). It then goes through and reads ALL of it, looking for where the login binary and data is loaded.
The first reaction is "you can't read login's memory". But I didn't. Assuming login is in physical ram at the time, it will get paged to disk assuming I poke around my own memory enough to make sure it stays in ram until a context switch. At that point, login is now on the disk, and the physical ram it USED to occupy is mine.
Since I read it in without overwriting that memory with my own data, I should be able to read in the login binary, and from there, determine relatively where its data is. Assuming it was within the same page, it should be trivial from there to read passwords as they are entered. If it was in a different page, this would be difficult (or impossible) since I don't know where that maps to in physical ram. I would guess, though, that login's other data (such as the string "login:" and "password:") would be in the same pait was in a different page, this would be difficult (or impossible) since I don't know where that maps to in physical ram. I would guess, though, that login's other data (such as the string "login:" and "password:") would be in the same page as the password buffer.ge as the password buffer.
What did I get wrong? Admittedly, doing this would be very slow (probably causing a noticeable slowdown in the victim system), and it is entirely possible (very likely) that some other app would overwrite the physical memory first, but that still does not make a system totally secure from such an attack.
edit: see how good it is knowing only half the story about a lot of stuff?
When a program is running, it is sitting somewhere in memory (ram, unless it got paged to disk). If memory wasn't protected, I could just read its data, and be done. However, with "protected" mode, I still think there is a security problem (at least the way I understand it).
The goal is to read each person's password as he logs in. For simplicity's sake, say init, login, and CThos_exploit are the only things running (plus whatever you would need to get another console for the victim to log in on). From one process it is impossible to address the memory of another process, in theory. CThos_exploit would allocate however much physical ram is available on the computer (just for simplicity. This might work with less, or more depending on how swap works). It then goes through and reads ALL of it, looking for where the login binary and data is loaded.
The first reaction is "you can't read login's memory". But I didn't. Assuming login is in physical ram at the time, it will get paged to disk assuming I poke around my own memory enough to make sure it stays in ram until a context switch. At that point, login is now on the disk, and the physical ram it USED to occupy is mine.
Since I read it in without overwriting that memory with my own data, I should be able to read in the login binary, and from there, determine relatively where its data is. Assuming it was within the same page, it should be trivial from there to read passwords as they are entered. If it was in a different page, this would be difficult (or impossible) since I don't know where that maps to in physical ram. I would guess, though, that login's other data (such as the string "login:" and "password:") would be in the same pait was in a different page, this would be difficult (or impossible) since I don't know where that maps to in physical ram. I would guess, though, that login's other data (such as the string "login:" and "password:") would be in the same page as the password buffer.ge as the password buffer.
What did I get wrong? Admittedly, doing this would be very slow (probably causing a noticeable slowdown in the victim system), and it is entirely possible (very likely) that some other app would overwrite the physical memory first, but that still does not make a system totally secure from such an attack.
edit: see how good it is knowing only half the story about a lot of stuff?
Facebook
Twitter