michael graffam michael.graffam at gmail.com
Wed Jun 11 22:31:45 CEST 2008

On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <dshaw at jabberwocky.com> wrote:

> If the attacker had access to your machine to implement the LD_PRELOAD
> attack, there are literally dozens of ways they can similarly steal
> whatever data they are trying to steal.  Why do a very complex attack
> involving replacing libraries when they could just replace the GPG
> binary itself?

Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't.

 Or add a shell script named 'gpg' and put it in your
> search path ahead of the real gpg?

Again,  root.

> Or turn on typescript by default.

Doesn't save GPG passphrases.

> Or load a kernel module that changes the meaning of system calls.  Or
> replace the rng with one that isn't random.  Or, or, or.

Root, root, root.

Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access
to the box. The attacker just need access to the user's account.

If you don't have control of your computer, you don't have control of
> your computer full stop.

By that logic, anti-lock brakes are useless because, well.. clearly.. if you
don't have control over your car, then you don't have control over your car.
In point of fact, it is precisely when you have lost control of your car,
that you need anti-lock brakes. I think the same applies here.

>  Having GPG do some extra checks doesn't
> really help, because the attacker can simply arrange for these extra
> checks to appear to succeed, or just replace GPG altogether so they
> don't run.

So, you write static-strcmp(), throw it into the code, and in main() you use
static-strcmp() to walk the environment pointer. If you find an LD_PRELOAD,
you bail. I am not aware of any way to fake these checks w/o modifying the
bin (root!).

If I may torture an analogy here, being worried about someone who has
> access to your computer using LD_PRELOAD to attack you is like being
> worried that a burglar has a key to your front door... but your front
> door isn't locked anyway.

I don't think this situation is analogous at all, in fact.

I think it is more like saying: why be worried about someone having a key to
your front door when they can just blow the door apart with a shotgun.

Sure, its true.. and if your threat model includes shotgun-carrying
assailants or hostile root users, its entirely valid.

But what about just some basic hygiene to keep honest people honest? Hell,
thats what most REAL locks are for, anyhow.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080611/804542e8/attachment-0001.htm>

More information about the Gnupg-users mailing list