http://it.slashdot.org/it/07/07/11/1421209.shtml
在今年度的 Usenix 的安全座談會上(http://www.usenix.org/events/sec07/tech/tech.html)
有篇論文(http://www.cs.huji.ac.il/~dants/papers/Cheat07Security.pdf) 實做了一種 "作弊" 工具,它能允許非特權使用者執行他們的程式,例如:下 'cheat 99% program' 這樣的指令,也因此確保他們的程式能取得 CPU 99%的資源(譯註:論文說你想要佔幾 % 都可以),不管事否有其他程式正在執行,而且在某些例子中(如 Linux),它以某種方式讓程式無法被某些 CPU 監測工具(如 top)發現(譯註:透過 cheat 執行的程式看起來跟一般沒有兩樣)。
該工具專門使用標準界面(API),而且可以被任何沒有特權程式設計新手輕易實作出來。由於最近大家都在戮力增進對於多媒體應用的支援,因此讓系統更容易遭受攻擊。當前所有流行的作業系統,除了 Mac OS X 之外,都容易受到它的傷害,即便如此,這篇 kerneltrap 的報導顯然指出 (http://kerneltrap.org/node/8059)
※ 相關報導:
* Secretly Monopolizing the CPU Without Superuser Privileges
http://www.cs.huji.ac.il/~dants/papers/Cheat07Security.pdf
Abstract
We describe a "cheat" attack, allowing an ordinary process to hijack any desirable percentage of the CPU cycles without requiring superuser/administrator privileges. Moreover, the nature of the attack is such that, at least in some systems, listing the active processes will erroneously show the cheating process as not using any CPU resources: the "missing" cycles would either be attributed to some other process or not be reported at all (if the machine is otherwise idle). Thus, certain malicious operations generally believed to have required overcoming the hardships of obtaining root access and installing a rootkit, can actually be launched by non-privileged users in a straightforward manner, thereby making the job of a malicious adversary that much easier. We show that most major general-purpose operating systems are vulnerable to the cheat attack, due to a combination of how they account for CPU usage and how they use this information to prioritize competing processes. Furthermore, recent scheduler changes attempting to better support interactive workloads increase the vulnerability to the attack, and naive steps taken by certain systems to reduce the danger are easily circumvented. We show that the attack can nevertheless be defeated, and we demonstreate this by implementing a patch for Linux that eliminates the problem with negligible overhead.
* "藍藥丸" 創造出絕對無法被偵測的惡意軟體