Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?

To: Jeff Rizzo <riz%tastylime.net@localhost>
Subject: Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Sun, 28 Aug 2011 16:08:59 -0400

On Sun, Aug 28, 2011 at 01:03:14PM -0700, Jeff Rizzo wrote:
> 
> I don't pretend to understand the security ramifications regarding
> processor affinity;  I do wonder, however, whether it warrants
> requiring elevated privilege (and possible exposure via other code
> in the process which doesn't require root for normal operation) to
> prevent allowing users to pin their own code to a particular cpu by
> default.  Are we sure we've made the right (default) tradeoff here?

I am pretty sure.  It makes resource consumption attacks easier and
it is not hard to see how to use it to make timing attacks against
cryptographic code in other processes _much_ easier.

References:
- KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
  - From: Jeff Rizzo

Prev by Date: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
Next by Date: Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
Previous by Thread: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
Next by Thread: Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
Indexes:

Home | Main Index | Thread Index | Old Index