Secretly Monopolizing the CPU Without Being Root

An anonymous reader writes "This year's Usenix security symposium includes a paper that implements a "cheat" utility, which allows any non-privileged user to run his/her program, e.g., like so 'cheat 99% program' thereby insuring that the programs would get 99% of the CPU cycles, regardless of the presence of any other applications in the system, and in some cases (like Linux), in a way that keeps the program invisible from CPU monitoring tools (like 'top'). The utility exclusively uses standard interfaces and can be trivially implemented by any beginner non-privileged programmer. Recent efforts to improve the support for multimedia applications make systems more susceptible to the attack. All prevalent operating systems but Mac OS X are vulnerable, though by this kerneltrap story, it appears that the new CFS Linux scheduler attempts to address the problem that were raised by the paper."

What does this mean?

[ajs]

... allows any non-privileged user to run his/her program, e.g., like so 'cheat 99% program' thereby insuring ... What?! I'm really not sure what's being said here. I understand the idea behind this, but the wording of the Slashdot piece is difficult to penetrate, even by Slashdot standards.

I'm assuming that we're saying that this application can get 99% of the time-slices on an otherwise occupied system, starving other tasks for resources. I'd be interested in hearing how this plays with the latest scheduler for the Linux kernel, which is supposed to favor the most needy applications.

Re:What does this mean?

[ajs]

I missed the last sentence of the blurb, which does address CFS in the latest Linux kernel...sorry about that. ... of course, Slashdot doesn't let you post a retraction right away.... grrr! ... Still waiting... ... this is getting old ...

Re:What does this mean?

[pauljlucas]

What?! I'm really not sure what's being said here. I understand the idea behind this, but the wording of the Slashdot piece is difficult to penetrate, even by Slashdot standards.

I hard a hard time reading it as well, but then I saw it (kind of like when you suddenly "see" the picture in a stereogram). Proper punctuation, whitespace, formatting, and font changes help a lot. It should have been:

.. allows any non-privileged user to run his/her program, like so:

cheat 99% program

thereby insuring ...

where cheat is the name of the compiled utility that lets you "cheat", 99% is an argument to cheat, and program is the name of some other program that you want to run at 99% of the CPU. I.e., the command line syntax resembles renice.

Re:What does this mean?

[Da+Fokka]

If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.

You gun-toting marxist redneck zealot astroturfers make me sick!

Re:What does this mean?

[SatanicPuppy]

I don't know. I think retractions would screw with everything else. If you make a boneheaded statement (and I've done it more than once myself), it should stand. Otherwise, everyone who responds to correct your misstatement will look insane, and it'd be hard to metamod, because the comments wouldn't necessarily fit the context anymore, etc.

Re:What does this mean?

[networkBoy]

Why not leave the post but allow a "retracted" tickbox? Thus at least the owner of the comment can effectively say "I was wrong, boneheaded, whatever" without having to post another comment and wait two minutes to do it? and all that shows up it a one-liner under the comment:
This comment has been retracted by its poster

-nB

Re:What does this mean?

[SatanicPuppy]

That'd be fine, or even cool. It'd deflect the inevitable storm of 500 people saying, "Wrong n00b!" and not reading down far enough to see that you admitted it already, and let the whole discussion move on to more productive things.

Re:What does this mean?

[ajs]

By "retraction", I meant that in the sense that newspapers use the term: the publication of a statement which redacts a previously published statement (e.g. my post in response to my initial post). The fact that Slashdot won't let me post a reply to my own post for a minute means that I sit there hitting "submit" on my one-line, "oops, I meant..." post for a minute. It's just annoying.

The ability to edit one's comments would be nice, but I'd only want to see that kind of feature if you could actually review the edit HISTORY of a comment, which would be a pretty serious change for Slash (the engine that runs Slashdot).

Re:What does this mean?

[Kenshin]

I'm assuming that we're saying that this application can get 99% of the time-slices on an otherwise occupied system, starving other tasks for resources.

We already have that. They're called McAfee Automatic Update and Windows Automatic Update.

God dammit, I hate those things. I turn on my office computer in the morning, and just let it sit for ten minutes because it's otherwise useless. (I turned-off Windows Automatic Update, but McAfee was more than happy to fill its shoes in needless resource hogging.)

Re:What does this mean?

[DrSkwid]

We?

Re:What does this mean?

According to TFA, because of the way the latest scheduler is built and the features it looks for, the cheater slips past it as well and can be adapted to specifically game it.

Re:What does this mean?

[arodland]

Absolutely. In fact I think it should go half a step further. In the interest of civility, using this feature should hide the message from casual viewing. But a single click will still bring up the original so that you can't use slashdot to be a complete ass and then censor yourself after the damage is done :)

Re:What does this mean?

[complete+loony]

Perhaps you should be allowed to moderate your own posts as redundant without losing karma?

Re:What does this mean?

[belg4mit]

How so exactly? Metamoderation shows message sout of context anyhow...

Re:What does this mean?

[Ash+Vince]

What I find amusing is that some bunch of morons have modded up the post he is trying to retract. Are all slashdot moderators and posters that stupid or does someone have a brain out there?

(People can mod this up or down for all I care, but please try reading it first)

Re:What does this mean?

[irc.goatse.cx+troll]

I'd rather just see people able to post addendums to their comments. Maybe make them free to subscribers and cost a karma point or two otherwise (to prevent people from getting careless and using it as a crutch)

Re:What does this mean?

[tzot]

There are 11 types of people in the world, those who know binaries and those who don't.

The quoted line above comes from your sig. Do you mean, perhaps:

There are 10 types of people in the world, those who know binary and those who don't.

or am I missing something?

With "binaries", one would typically mean "multiple binary stars"; perhaps you meant "binary" (system)? OTOH you mention 3 (11 base 2) types of people, so I quite possibly am missing a joke. Unless... unless one should substitute "binary and counting" for "binaries"; this would fully explain that "11" :)

Re:What does this mean?

[DrSkwid]

"Binaries" is plural because there is more than one possible binary encoding. In this case 11 is two. You are in class 00.

Re:What does this mean?

[lahi]

Please. Let's clear this up once and for all.

In a group G of n people, there are (2**n)-1 possible distinct types of people, excluding the empty type, as nobody actually is of that type. Given that for any subset S of G you can find or invent something that these guys and gals have in common which is not shared with G\S, this is also the actual number of distinct types. There can be no more, as if S is defined by more than one property, the type consisting of just that property will just be a subtype of S.

Thus, there are 2**n-1 types of people, where n is the number of people.

-Lasse

--
There are (2**n)-1 types of people in the world (where n = the number of people in the world.)

Re:What does this mean?

[DrSkwid]

Your assumption on a power of two binary encoding is incorrect, thank you for illustrating my point.

Re:What does this mean?

In a group G of n people, there are (2**n)-1 possible distinct types of people, excluding the empty type, as nobody actually is of that type. Given that for any subset S of G you can find or invent something that these guys and gals have in common which is not shared with G\S, this is also the actual number of distinct types. There can be no more, as if S is defined by more than one property, the type consisting of just that property will just be a subtype of S. Thus, there are 2**n-1 types of people, where n is the number of people.

I'm afraid you are mistaken, because a type is an attribute. Let's assume X is a group of attributes, e.g. X = {nil, handsome, Jewish, left-handed, Christian, ...} (where "nil" stands for "not an attribute"). Now, every person in G can be associated with an arbitrary number of attributes in X. Thus, the 'types' of people is the number of different functions from G into X (that is, F:G->X). This is certainly not |G|^2-1.

Re:What does this mean?

[tzot]

"Binaries" is plural because there is more than one possible binary encoding. In this case 11 is two. You are in class 00.

(11 base 2) is three. (11 base 1) is two. I don't understand what "class 00" means, since it's obvious to me we haven't enjoyed the same educational system.

You surely use words in a non-mathematical way. The only way that "11" means two, is when you work in the unary numeral system with "1" as a chosen symbol. No binary involved whatsoever, so your signature's wordplay is, actually, a misteak.

Thanks for your reply. Even not your intention, you did reply to my question.

Re:What does this mean?

[DrSkwid]

What's this then ?

0 00
1 01
2 11
3 10

Re:What does this mean?

What's this then ?
0 00
1 01
2 11
3 10

are you an idiot? or is it just your (pathetic) way of being funny?

Re:What does this mean?

[paleshadows]

What's this then ?

0 00
1 01
2 11
3 10

Excellent question! This is the proof of how ignorant you are.

Re:What does this mean?

[DrSkwid]

I'm afraid the proof of ignorance is in the opposite direction.

http://en.wikipedia.org/wiki/Grey_code

Re:What does this mean?

Lol, idiocy is one of your attributes my anonymous friend. But I'm sure that won't stop your inflated sense of self knowledge.
Do you really think I'd have a sig that I couldn't back up ?
It's a trap to prick the pompous. Consider yourself to have been penetrated by my prick.

http://en.wikipedia.org/wiki/Grey_code

Re:What does this mean?

[tzot]

Actually, only after seeing your other replies to various ACs, I appreciate the fact that I learned about Gray codes from you, and now I grok the "esotericness" of your signature.

In addition, I fully believe your statement (typically, it's an AC who said it, but it's obvious that it's you, and I have a hunch that you thought the other AC was I, which I wasn't if you do think so) that "It's a trap to prick the pompous": yes, your sig was never meant to be funny, now I see that. Of course, I might be wrong, and you might consider your sig a funny trap, but then you wouldn't know "inside jokes" from "jokes", which is possible since for you "reflected binary code" is equivalent to "binary code" (ie it doesn't need prefixing, and who gives a fuck about common use?).

We disagree on the purpose of a signature, and perhaps on whether you got people skills. I know, our virtual co-existence is too short, but you remind me of some people I know who, being very self-centric become very tiresome to others, and typically said others tend to agree as quickly as possible with said some-people in order to get rid of them. I won't pursue this issue any further, feel free to respond as you see fit (that is, if you think I'm intelligent enough to be worth of a reply from you.) Good hunting!

(To world) A feeble attempt at a humorous sig (which is much less cryptic although it also requires some knowledge and minimal processing):

"Dear Paul: please stop spamming us." --The Corinthians

Re:What does this mean?

[DrSkwid]

:)

It was just a play words to start with but after the responses I've had to it with people pointing out how wrong I am, even insulting me straight away, indignant in their superior knowledge, I kept it on for the fun of it. I've been on /. for quite a few years and I enjoy the cut and thrust, which seems to be waning fo late.

It's even where I learned it myself about gray code. All I had remembered was the encoding I was told about in school in the mid 80s that wasn't powers of two but was 5-3-1-1 0-10 being :

0000 0001 0011 0100 0101 1000 1001 1011 1100 1101 1111

It's not a gray code but it lead me there via discussion.

More interestingly for me, it was invented at Bell-Labs and I'm a Plan 9 user which hails from the same place.

Re:What does this mean?

[paleshadows]

masterpiece :)

Re:What does this mean?

[Trogre]

By gum you're right. It's not using the same binary as 99.9% of implementations, but a grey code is nonetheless a binary system, and therefore could be referred to by some as "a binary", or one of the "binaries".

Hence your statement, while wildly misleading, is correct if one interpretation is taken.

A Useful Tool

[Bios_Hakr]

I run several websites off of a single host. If I need to login to do maintenance during peak hours, I'm slowed by Apache and MySQL. This would be a nice utility if it were wrapped into SUDO.

Re:A Useful Tool

[CastrTroy]

you could always renice apache and mysql down to a lower priority. Possibly in a log-on/log-off script which would change the priorities and then reset them when you log out.

Re:A Useful Tool

The 'nice' command might be something for you...

Re:A Useful Tool

[lecithin]

alias renice 'echo Renice\? You must mean kill -9.; kill -9 \!*'

Re:A Useful Tool

[cichlid]

"you could always renice apache and mysql down to a lower priority. Possibly in a log-on/log-off script which would change the priorities and then reset them when you log out."

Much easier to just renice your root shell automatically at login

Re:A Useful Tool

[oglueck]

Still thread creation can kill you. Renicing a fork bomb won't give you more cycles for your shell.

Re:A Useful Tool

[ZachMG]

Hey Hey Hey wait. I got an even better tool for the job //Mac OS X\\

Re:A Useful Tool

[vsavkin]

If you use sudo, you can just renice your root shell to higher priority, or even make it real-time process.

Re:A Useful Tool

True, but you can set limits on the number of processes per user and other stuff to stop a fork bomb. On Linux with PAM these are set in /etc/security/limits.conf, appropriate limits vary depending on the resources available to the machine. A good admin should be aware of fork bombs and make the appropriate configuration to stop them.

Re:A Useful Tool

Yeah, in that case, everything runs at the same speed. *Slow*

Re:A Useful Tool

[oglueck]

This only stops the most primitive incarnation of fork bombs like :(){ :|:& };: whose processes don't die. While you can set limits to the max. number of processes per user, there is AFAIK no limit to the number of processes I can create per second. So as long as my processes are short lived nothing stops me from creating 1000 processes per second. Don't try this at home on a 2.4 kernel, kids.

So, is vista security good enough....

that others are starting to look after the *nix world for weaknesses? Once windows is equal or better than *nix in terms of security, then all the security and malware people will start looking at us.

Re:So, is vista security good enough....

People have been looking for and exploiting *nix vulnerabilities long before Windows was on the scene.

Re:So, is vista security good enough....

[dbIII]

Once windows is equal or better than *nix in terms of security

That isn't likely to happen without a change in attitude due to both starting furthur behind and progressing more slowly. The current malware situation looks like bad SF and a morality tale of what happens when you allow really stupid things to happen (eg. letting arbitrary code embedded in images run - hopefully that person was dismissed from Microsoft).

Re:So, is vista security good enough....

[KingMotley]

You should pick better examples. That particular problem was caused by Microsoft using a very well known OPEN SOURCE library for handling image functions. It affected many applications (including ones in linux). Now that you know that, are you still advocating that Microsoft should stop having anything to do with open source software? Didn't think so.

Re:So, is vista security good enough....

[jayp00001]

but in *nix land those vulnerabilites are called features. Demands to change are always met with demands to keep them the same--"how can I keep my code from 1985 running without it!"

Re:So, is vista security good enough....

[dbIII]

I am advocating that people should know what their applications will do with different inputs. The above example was a mind bogglingly stupid mistake - viewing an image was enough to spread a virus! The added rant by the poster above blaming poor practice on somebody else and making assumptions about myself (why would I want people to use garbage just because it has a good licence?) I consider a fairly lame apology for somebody else's major mistake that completely ignored any sort of security. It allowed arbitrary code from unknown sources that could have been well hidden in elements of nearly any web page to run - security doesn't get much worse than that no matter who does it.

Re:So, is vista security good enough....

[vtcodger]

***that others are starting to look after the *nix world for weaknesses? Once windows is equal or better than *nix in terms of security, then all the security and malware people will start looking at us.***

Of course not. It shows that OS research work is likely to be done on a Unix of some sort where the source code is available for anaylsis

TFA points out that Windows is just as vulnerable to these cheats as BSD, Linux and Solaris. The cheat works by releasing the CPU just before the end of a time tick there by allowing the whole tick to be charged to whatever task gets the rest of the tick. Windows, like Solaris, has accurate job accounting information available, but choses not to use it for scheduling. In addition, like the Linux 2.6 kernel, Windows will actually artificially raise the priority of a cheating task under the misaprehension that the job is interactive.

Re:So, is vista security good enough....

[poopdeville]

If you're talking about the WMF vulnerability, you've got your history wrong. Microsoft used their own implementation. Hell, they wrote the specification for the Windows Metafile format. The specification was flawed, and lead to vulnerabilities. Which is why compliant open source implementations of the specification were vulnerable.

From Wikipedia:

Essentially, a WMF file stores a list of function calls that have to be issued to the Windows graphics layer GDI in order to restore the image. Since some GDI functions accept pointers to callback functions for error handling, a WMF file may include executable code. It is somewhat similar in purpose and design to the PostScript format used in the Unix world.

Re:So, is vista security good enough....

[Schraegstrichpunkt]

The WMF vulnerability, not the zlib one.

Re:So, is vista security good enough....

[hcmtnbiker]

TFA points out that Windows is just as vulnerable to these cheats as BSD, Linux and Solaris. The cheat works by releasing the CPU just before the end of a time tick there by allowing the whole tick to be charged to whatever task gets the rest of the tick. Windows, like Solaris, has accurate job accounting information available, but choses not to use it for scheduling. In addition, like the Linux 2.6 kernel, Windows will actually artificially raise the priority of a cheating task under the misaprehension that the job is interactive.

...but this is proof that Vista is more secure. Aero alone will use up most of your resources, therefore, you cant have a program monopolize the CPU more then the host OS. Just more proof those M$ guys know security ;)

Re:So, is vista security good enough....

[toadlife]

but in *nix land those vulnerabilites are called features.... I though "It's not a bug. It's a feature." was Microsoft's moto?

Re:So, is vista security good enough....

[jayp00001]

but in *nix land those vulnerabilites are called features....

I though "It's not a bug. It's a feature." was Microsoft's moto?

Where do you think they stole it from?

Re:So, is vista security good enough....

you're right, they should have just disabled the "run virus when viewing image" option.
How stupid of them!

Re:So, is vista security good enough....

[vtcodger]

***...but this is proof that Vista is more secure. Aero alone will use up most of your resources, therefore, you cant have a program monopolize the CPU more then the host OS. Just more proof those M$ guys know security ***

Your logic is fine. But alas ... reality ....

Vista won't know that the cheating task is stealing cycles. In practice, the program probably can "monopolize the CPU more than the host OS" -- notwithstanding that OS tasks look on the surface to have higher overall priority. Perhaps we should consider the possibility that Vista is more secure against what the user desires to do than against well targeted attacks.

I know that you are being sarcastic, but it's interesting (to me anyway) that 'Knowing Security' and actually building a usable secure system may not be the same thing.

Google-cache article

For those harboring poisonous grudges against PDFs, the Googlerised HTML version is here.

Re:Google-cache article

[brunascle]

and for those who dont have the time to read the paper...

it works by avoiding running during the exact moment of a clock tick (which would be the moment when CPU usage per-process is checked). to start running immediately after a clock tick is (apparently) easy, but to stop before the next tick is harder. the paper suggests using some kind of get_cycles assembly instruction to count how many CPU cycles there are per clock tick, and use that number to gauge when the next clock tick is going to occur by counting how many CPU cycles have elapsed.

Re:Google-cache article

[TheVelvetFlamebait]

For those harboring poisonous grudges against PDFs...

Speaking of userland processes using 99% cpu...

Re:Google-cache article

[Bobb+Sledd]

and for those who dont have the time to read the paper...

it works by avoiding running during the exact moment of a clock tick (which would be the moment when CPU usage...

--Uhm... (looks at watch...) Say, I really don't have time for wordy summaries... could you maybe cut this down into about 10 words or less? Hurry it up! I ain't got all day!

Re:Google-cache article

Kind of like Alt-Tabbing off Slashdot when the PHB strolls by?

Re:Google-cache article

[brunascle]

it run when OS not looking

Re:Google-cache article

I haven't had much sleep this week. This comment made me LOL at work, perhaps a bit more than I should have.

Re:Google-cache article

[kestasjk]

With the difference that the CPU doesn't immidiately see right through the charade.

Re:Google-cache article

[Xtravar]

Funniest thing I've read on /. in a while.

Re:Google-cache article

[SiChemist]

I have no mod points so I have to say +5 funny! I ACTUALLY laughed out loud after reading this.

Re:Google-cache article

[cswiger]

That's a good summary, thanks.

Of course, this sort of attack has been known for a while, and it's not just OS X which is mostly immune to attempts by a process to yield the CPU just before a tick to avoid having the usage assigned to the process-- if you check the source code in FreeBSD, for example, in:

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern /kern_clock.c

      ----added to keep the comment from wrapping onto the URL----
/*
  * Clock handling routines.
  *
  * This code is written to operate with two timers that run independently of
  * each other.
  *
  * The main timer, running hz times per second, is used to trigger interval
  * timers, timeouts and rescheduling as needed.
  *
  * The second timer handles kernel and user profiling,
  * and does resource use estimation. If the second timer is programmable,
  * it is randomized to avoid aliasing between the two clocks. For example,
  * the randomization prevents an adversary from always giving up the cpu
  * just before its quantum expires. Otherwise, it would never accumulate
  * cpu ticks. The mean frequency of the second timer is stathz.
[ ... ]

Re:Google-cache article

Of course, this sort of attack has been known for a while, and it's not just OS X which is mostly immune to attempts by a process to yield the CPU just before a tick to avoid having the usage assigned to the process-- if you check the source code in FreeBSD

"Of course" you say... I suggest you take a look at the paper. It shows FreeBSD can be fooled like all the rest of the ticking OSs (see section 5.4). It's a bit trickier, but still quite easy. Maybe now, that the attack is known, the FreeBSD folks would fix this. But currently, stathz simply doesn't do the job and is useless in the face of a systematic attack.

Re:Google-cache article

[medgooroo]

more like alt tabbing into slashdot when phb walks by.... its pretending it ISN'T working

Re:Google-cache article

Please document how this amazing data compression algorithm of yours works.

Re:Google-cache article

[ThePawArmy]

Best post this month.

Security!

[wal9001]

Ha! I told you Mac OS was more secure. What? Of course I'm not a fanboy! What gave you that idea! Jeez.

Re:Security!

[TheRaven64]

If you just want to DoS the box as a local user (which is all this lets you do, from a security standpoint), then there are much easier ways of doing this on OS X via the VM subsystem. So easy that I've managed to do it with my own code a couple of times purely by accident and had to power cycle the box to stop the process (the same code runs fine on FreeBSD, by the way, it just chews up a lot of memory).

Re:Security!

At least this paper should help dispel that old "Mac OS X is BSD with eye candy" meme. While reading it, it's hard not to realize that XNU (the OS X kernel) and the BSD kernel are completely different beasts. Figure 1 in particular drives the point home: it shows that with respect to the timing model used, you have OS X and RTOSs on one side, and FreeBSD, Linux, Windows etc. on the other.

Re:Security!

[pasamio]

I've noticed a similar thing, more that anything that causes heavy disk IO kills the system. More so when I've been experimenting with virtual machine implementations on the platform I've noticed heavy lag issues that I don't see on equivalent systems. Locking up a OSX box isn't too hard.

Re:Security!

[orclevegam]

If you just want to DoS the box as a local user (which is all this lets you do, from a security standpoint), then there are much easier ways of doing this on OS X via the VM subsystem.

You're missing the point here. Because the CPU accounting is off it's possible to do a QoS attack on a box rather than a DoS, that's virtually impossible to detect as the end user. From his or her standpoint, the system will be sluggish, but because of the way the attack works various random processes will seem to be taking up all that extra slack so that most likely no one process will appear to be hogging the CPU.

There's also the possibility when combined with a worm or rootkit, as well as a bot net to setup a difficult to detect distributed computing environment to perform massive computations in short amounts of time.

Like any concealment based vulnerability this is just a tool to be combined with others for a complete attack, but a serious issue nonetheless.

Re:Security!

Doh! Of course! Who uses a Mac OS as a server? Macs are for exhibition purposes only.

Re:Security!

Because the CPU accounting is off it's possible to do a QoS attack on a box rather than a DoS

I guess I'm not hip, but what exactly is the difference between a QoS attack and a DoS attack? I mean severly degrading the quality of the service potentially up to the point of denying it *is* a DoS attack.

There's also the possibility when combined with a worm or rootkit, as well as a bot net to setup a difficult to detect distributed computing environment to perform massive computations in short amounts of time.

I think a mistake you are making a mistake in understanding, the process isn't invisible or even hard to spot, but rather the resources being used are, a simple ps would still show the process.

Re:Security!

[orclevegam]

I guess I'm not hip, but what exactly is the difference between a QoS attack and a DoS attack? I mean severly degrading the quality of the service potentially up to the point of denying it *is* a DoS attack.

A DoS attack is an extreme form of QoS. If you perform a QoS attack on someone their performance is reduced, but the system is still usable, where as in a DoS the goal is to make the system totally unusable. In some ways a QoS is even more effective than a DoS because it's more subtle and causes more frustration. If for instance a website gets DoSed the owner is upset and will try to get someone to investigate and shutdown if possible whoever is DoSing them, and the users simply cannot connect to the service and go somewhere else. If, on the other hand you QoS attack a server, the owner will be frustrated because performance is poor, but they will have to spend a good bit of time trying to track down WHY exactly the performance is poor, but, more importantly the users connecting to the service will have a very poor experience, and that hurts the servers owner. A user is willing to cut someone slack if the server goes down, but they're much less forgiving when the servers performance is just poor.

I think a mistake you are making a mistake in understanding, the process isn't invisible or even hard to spot, but rather the resources being used are, a simple ps would still show the process.

The process is not invisible, you are correct, but it is hard to spot. If the malicious program is named something innocuous such as srvchost.exe (check your process list in Windows, there's a ton of the suckers), or maybe httpd in linux, and the user attempts to figure out what's causing slow downs on their system, they will be looking at anywhere but these processes because they will be showing 0% CPU utilization. Also, as I said, this is only part of a proper attack, this combined with some other exploit that hides the presence of the process will be even more confusing to the user because this attack actually re-allocates the used timeslices for the process to other random processes, so to the user it looks like the entire system is just using way more CPU time than normal. Of course, if you have a root kit you can perform this re-allocation at the kernel level, but part of the point of this exploit is that it's 100% userland so has a much smaller barrier to entry.

Re:Security!

[Fred_A]

At least this paper should help dispel that old "Mac OS X is BSD with eye candy" meme. While reading it, it's hard not to realize that XNU (the OS X kernel) and the BSD kernel are completely different beasts. Figure 1 in particular drives the point home: it shows that with respect to the timing model used, you have OS X and RTOSs on one side, and FreeBSD, Linux, Windows etc. on the other.

I'll prove you wrong as soon as that stupid spinning beach ball of death lets me do something.

Re:Security!

I'll prove you wrong as soon as that stupid spinning beach ball of death lets me do something. Actually, that's half the proof that the Mac does scheduling right...

The GUI is not considered to be a time critical task. Yes the spinning beach ball can be annoying, but it will eventually go away.

But have you ever noticed that even when you have beach ball going, and the system seems locked up, iTunes never skips a beat? That's because the audio playback is running in a real time thread.

Re:Security!

[Fred_A]

But have you ever noticed that even when you have beach ball going, and the system seems locked up, iTunes never skips a beat? That's because the audio playback is running in a real time thread.

Amazing, and to think of all the pains I went through to remove iTunes on my iBook. I shall put it back immediately !

The UI may not be time critical but there is *a lot* of beach ball spinning going on on that system. It gets old pretty quick.

gnome

[dattaway]

The gnome desktop for years has been hiding processes that h0rk the cpu.

Re:gnome

hmmm... you mean KDE ?

What the?!

[Rik+Sweeney]

Using up 99% of the CPU's easy!

#include

int main(int argc, char *argv[])
{
      while (1) {}

      return 0;
}

Re:What the?!

[CaptainPatent]

But YOU have the privilege to eat all of your system resources. The point of the article is that an unprivileged user can while-lock your system and your OS will have no idea.

Re:What the?!

[AKAImBatman]

This is a bit different. It's a way to convince the OS to give you more time slices than you'd normally be allocated. e.g. If you ran that program of yours twice at the same priority level, both instances should get ~50% of the CPU time. If one of the instances implemented this privilege boosting scheme however, it would get to hog all the CPU time while your other spinlocked program starved.

Re:What the?!

I hate it when people omit random nouns from sentences. Using up 99% of the CPU's what? Monthly download allowance? Precious, nonrenewable natural resources? Digestive enzymes? What??

Re:What the?!

[woodchip]

This is better... #include #include int main(int argc, char *argv[]) { while (1) {} { fork(); } return 0; }

Re:What the?!

I'm sorry that bothers .

would you like a ?

Re:What the?!

For a time, my university's Linux lab had similar problems to this.

Each machine on the network allowed SSH access, and people would playfully log in remotely to each others' machines and execute something like

$ perl -e "fork while fork"

This would render the machine unusable.. until about a year back, when something changed - which leads me to suspect that the kernel has had protection against this sort of thing for a while now.

Re:What the?!

[eneville]

> This is better...
> #include #include
> int main(int argc, char *argv[]) {
> while (1) {} { fork(); } return 0; }

No, no, that is not better, not at all, none what so ever.

What you meant, I think is:

int i;
while(1) {
    i = fork();
    if( i == 0 ) { /* only the child spins */
        while(1) {}
    }
}

in your loop the parent spins, because it cannot fork(), i never leaves the loop.

Re:What the?!

[MajinBlayze]

or, just

$ :(){ :|:& };:

But that really isn't the point here. This lets your run any arbitrary program, using max resources, (despite scheduling), AND hide the fact that the process is using *any* resources

Re:What the?!

[Random832]

"fork while fork" won't have the exponential effect, since fork returns 0 (false) in the child process, terminating the loop and causing growth to only be linear. You'd need fork while true.

Re:What the?!

[jshriverWVU]

processing cycles. CPU's don't download or do anything other than compute finite math in cycles so a description really isn't needed.

Re:What the?!

what if we ran two of these "cheat 99%" programs together??

Re:What the?!

[francium+de+neobie]

This would render the machine unusable.. until about a year back, when something changed - which leads me to suspect that the kernel has had protection against this sort of thing for a while now.
I guess they just put on a nproc limit on each user. It's just a trivial security measure against simple fork bombs. Assuming your Linux system uses PAM (most modern distros do), take a look at /etc/security/limits.conf.

Re:What the?!

[Trillan]

Obviously, your CPU would run at 198%...

Wait. Something's wrong here.

Re:What the?!

Then the authors would get another grant and start working on the "metacheat" program.

Re:What the?!

[dgatwood]

x...<-joke
o
+...<-you
/\

The plural of CPU is CPUs, not CPU's. CPU's is the possessive form of CPU.

Re:What the?!

WTF, grammar police? Who cares. I dont get paid to care about an ' or not. It's the concept of the message that matters. This is a tech forum not an english discussion troll.

Re:What the?!

[fbjon]

No, in this case it's actually a contraction of "CPU is".

Grammar Nazis the world over, today you failed your mission. Let us give one minute of silence for remembrance.

Re:What the?!

[Minwee]

Except that on Linux, that loop will finish in five seconds.

Re:What the?!

x...<- Rules of English grammar
o
+...<- Your understanding of them
/\

The plural of an abbreviation is formed with an apostrophe.

Thank you for playing.

Re:What the?!

[dgatwood]

But not in the original usage (at least in the place the previous post was complaining about). You can't use a complete sentence as a noun.

Re:What the?!

[dgatwood]

No, it isn't. It is one of the most misused uses of the apostrophe, but it is not in any way correct English. The plural of an acronym is formed by adding a lowercase "s". Don't believe me? Look it up.

Re:What the?!

#!/bin/sh
$0 && $0 &

Try it... but not on a system you wouldn't want to reboot.

Feel free to implement per-user process limits.

(Covering myself: it worked for me...)

Re:What the?!

[gnuman99]

he probably just meant,

while(1)
    fork();

Re:What the?!

[piojo]

I have known about that one for years. When I first read about it, I was too much of a newbie to actually understand it, but I knew not to run it. Later, I got an overly trusting friend to try it on OSX. The OS stopped bash from forking more than a certain number of times, and nothing happened. I couldn't resist, so I tried it on my gentoo box and completely locked it up. I'm about to try it on my current vanilla ubuntu installation...

Re:What the?!

[MajinBlayze]

Yeah, it surprised me too when I ran it for the first time. it is easy enough to fix (can't remember right now, but i recall something about a "limits" file) but should hint that that default is set too high.

Re:What the?!

[lordSaurontheGreat]

This is easier:
:(){ :|:&};:

Re:What the?!

[Bloater]

After two years of undergraduate linguistics, though it was many years ago, I'd like to point out that if it is one of the most misused it is probably now correct (not that correct means much when talking about a natural language).

"Correct" makes sense when talking about latin because it is not a natural language - latin is a logic game; english, however, is used to satisfy the fashions and fads of any given week and changes at the demand of its users.

Re:What the?!

Actually, it is correct to pluralise an acronym with an apostrophe in some cases.

CD's is wrong, because the full version is Compact Discs, but ROUS's is correct, because it's not Rodent Of Unusual Sizes. I believe apostrophes are also sometimes recommended where the additional s might be mistaken for part of the acronym.

Re:What the?!

[Some_Llama]

I agree, "CPU is don't download" makes much more sense. good catch

Re:What the?!

[springbox]

Yeah, try running this similar program in a Windows user account:

int main(void) { for (;;); return 0; }

The system grinds to a halt, of course.

Re:What the?!

[arodland]

Depends on the system, but either each will get ~49% of CPU, or one will get ~99% while the other starves (well, competes with no significant advantage). It depends on a few factors. If the prios are shaken up enough and both cheaters get a chance to run, then each cheat will get to monopolize the CPU for a whole timeslice (on average) every other scheduling interval. But it's at least as likely that the process that gets the scheduler first wins every time, and runs so much that the other one doesn't even get time to play its games. All this of course assumes that they're both trying to run on the same CPU. As others have pointed out, on a system with two or more processors they'll simply consume 198% of CPU time :)

Re:What the?!

[fractoid]

Yeah, try running this similar program in a Windows user account: OK, I'm tired, but - was that sarcasm or are we talking Windows 3.1?

Of course if you were to go like so...

int main(int argc, char **argv) { while(1) /* create pen to draw invisible pink unicorn */ CreatePen(PS_NULL, 1, RGB(255, 200, 200)); return 0xb00b5; } ...then I seem to recall causing interesting lockups... :)

Re:What the?!

If it's an abbreviation with periods in it, like "I.O.U.", then you must use an apostrophe.

If it ends with an 'S', or is just one letter long, then use an apostrophe.

It there is any chance of confusion, or just because you want to, then use an apostrophe.

If you were frightened by an apostrophe as a small child, then feel free to complain about this sort of thing.

Re:What the?!

[fbjon]

Oh but the joke was in reference to the "original" funnay post, which said:

Using up 99% of the CPU's easy! "CPU's" is quite correct ( -> "..of the CPU is easy."), but the reply moaned about there not being a noun in between there.

Re:What the?!

[angus_rg]

I think the basics of what is being said is, using 99% of CPU and starving processes of CPU time are not the same thing. This article is stating that both are happening(not mutually exclusive for you programming geeks).

A simple infinite loop will not starve a process that has a higher priority, and in most cases a lower priority one if a scheduling algorithm that uses aging in adition to priority. It will just use all idle CPU cycles.

I know we're geeks, but lets KISS it.

Re:What the?!

[kasperd]

"fork while fork" won't have the exponential effect, since fork returns 0 (false) in the child process, terminating the loop and causing growth to only be linear.

It only terminates every other time, so you'd still get exponential grow. Actually if you wanted to be a bit more nasty, you'd terminate the parent after every second fork. Because then there would be less connection between your processes, and you'd still get exponential growth, but no single process lives for more than a few system calls.

Old news

[Edward+Kmett]

Not quite sure what justifies a paper out of this.

If you check the linux kernel mailing list for Vassili Karpov, you should find test cases that demonstrate this behavior and tools for monitoring actual CPU usage for a variety of platforms, though I notice no mention of any of that in the paper.

See http://www.boblycat.org/~malc/apc/ for the tool and 'invisible CPU hog' test case.

Re:Old news

Publishing papers takes a lot of time, as anybody who ever done it would know... For example, the post you mention is from Feb 2007. By then, according to the usenix-security call for papers, the paper has already been submitted. Also, google-ing "cheat" around revealed this technical report: http://leibniz.cs.huji.ac.il/anon?View=1&num=1&pid %5B1%5D=870&abstract=1 (seems the initial version of the paper) which is dated May 2006.

ok

[nomadic]

Back in my day we called it renice.







Yes, I'm kidding. Please don't post a long reply explaining how renice differs from this cheat thing. It isn't necessary.

Re:ok

[Gazzonyx]

Back in my day we called it renice. Yes, I'm kidding. Please don't post a long reply explaining how renice differs from this cheat thing. It isn't necessary. My good sir, you take all of the fun out of trolling slashdot while at work! Now I have no excuse to avoid working on the dbase (Access and VBA, ugh). Jerk.

Re:ok

[nomadic]

Now I have no excuse to avoid working on the dbase (Access and VBA, ugh).

Eesh, you have fun with that.

Re:ok

[MajinBlayze]

Now I have no excuse to avoid working on the dbase (Access and VBA, ugh) I was an "Access Developer" for a while, even a consultant doing the same (yes, I would sell my soul for a dollar)
Now I have a *Real* job as part of a programming team working with a *mostly* real RDBMS.

you will be in my prayers, brother-in-arms.

Re:ok

[Jesus_666]

Please don't post a long reply explaining how renice differs from this cheat thing. It isn't necessary.

Too late.

renice and cheat are pretty different, actually. I mean, they have a Levenshtein difference of 6. With the longer of the two only having six characters that makes them completely different beasts.

<Insert ten more paragraphs detailing how these strings are differing, involving hash comparisons and an in-depth discussion of the Levenshtein algorithm, here>

The "sue" command

Finally, the "sue" command of PC UNIX has been implemented.

Re:The "sue" command

[db32]

This is an outrage. You cannot 'sue' without lawyerd! What about the required functionality of 'sue --counter' and 'appeal'?!

Re:The "sue" command

[Wite_Noiz]

lawyerd

What a scary, scary thought...

Re:The "sue" command

[db32]

Why is that? You could kill -9 as many times as you like in a given day... Well unless of course one lawyerd being killed causes more lawyerd instances to spawn and then they all 'sue'. Ok yeah, that could suck.

It was news,... in 1980

[Ancient_Hacker]

I seem to recall usenet discussions about this circa the time of !uucp!newsglop!..... It seemed the Unix scheduler would let certain IO operations hog the CPU. And if you somehow installed your app as a IO driver or IO completion routine, then your app could hog the CPU. Similarly since day one of Windows soundcards you could set your app to realtime_priority and everything else would suffer. Not exactly smokin' hot off the press.

Re:It was news,... in 1980

[phasm42]

That's not what the paper talks about. The vulnerability is that the scheduler gathers statistics (used to make scheduling decisions) by checking who is running at every clock tick. By running only between clock ticks and never running at the time of a clock tick, your process can use a lot of CPU without the scheduler knowing.

Re:It was news,... in 1980

[MajinBlayze]

Yes, but did that cause the program to hide the fact that it was the process using up resources?
No. That's what makes this interesting. That, and the fact that the new multimedia friendly schedulers are what makes this possible.

Re:It was news,... in 1980

[vtcodger]

***I seem to recall usenet discussions about this circa the time of !uucp!newsglop!..... Not exactly smokin' hot off the press.***

Not exactly. This is a technique that will, in prinicple, work with any scheduler that prioritizes tasks on the basis of time ticks previously used by the task. That turns out to be most of them. The technique does not require being an I/O driver, other special task, or having unusual user priviliges.

So yes, it IS news.

Re:It was news,... in 1980

[deroby]

In that case, I NEED to ask : how would this fare on the Amiga back in the days ?? They didn't mention it in the paper (omg! =)

I seem to remember (a long time ago, so don't shoot if I'm completely wrong) reading that the AmigaOS was able to do A LOT (magnitudes!?) more Context-switches per second than "any other OS". Most likely "any other" in those days meant Win3.1 or OS/2, so I'm not sure how it would compare to modern Operating Systems. Anyway, I remember the multitasking to be superb, although it might have been a bit more simplistic (eg. no Nice, although you had Pri, which would allow you to set a threads priority too high by accident and turn your machine into a single-tasker =)

Sigh, I miss those days =)

First announced exploit..

[SuperBanana]

This year's Usenix security symposium includes a paper that implements a "cheat" utility, which allows any non-privileged user to run his/her program, e.g., like so 'cheat 99% program' thereby insuring that the programs would get 99% of the CPU cycles, regardless of the presence of any other applications in the system, and in some cases (like Linux), in a way that keeps the program invisible from CPU monitoring tools (like 'top').

Next up, a virus which senses bad grammar and punishes you by using 99% of your CPU. Seriously, somewhere a middle school English teacher is crying, and doesn't know why.

Re:First announced exploit..

[Minwee]

Somewhere a middle school English teacher is crying, and doesn't know why.

Do you think this might be related to that incident where thousands of English teachers all burst into flames moments after the first SMS-enabled phone was released?

Re:First announced exploit..

[qualidafial]

If only I had mod points for you..

Re:First announced exploit..

[HeroreV]

The teacher doesn't know why she's crying? If that virus is smart enough it 8oe7ut398fxdhUK^&p>^%#%^#U

NO CARRIER

Sounds great in some respects.

[jshriverWVU]

I've even gone as far as to compiling a minimal Linux distribution for one of my test machines so my CPU intensive application can squeek out every last drop of performance as possible. Beyond the normal renice -20

Curious how this works.

Re:Sounds great in some respects.

[cnettel]

It works by sleeping at the right point in time. You really hack up the timeslices and decrease the overall efficiency (more context switches), so it's only good if you want to steal cycles where you are not really allowed to.

Talk about a fair share scheduler !

[ivan_w]

I wasn't aware the schedulers for those systems were so deficient !

In my days (yes, I'm an old fart) - the schedulers had basic principles :

- Voluntary yielding led you to get accounted for the time you spent running.
- You could stay in the interactive queue for only a certain amount of time. After some amount of time had passed (a few secs) you were either bumped to non-interactive if you were running (with longer time slices but lower priority) or removed off the scheduler list for good (if the time spent there was idling). They had a special 'idle but interactive' (not eligible for dispatching) queue for that.
- Scheduling a new task restarted a new time slice

That particular scheduler even had a 3 queue system so that if you got accidentally bumped into the non-interactive queue or if your process was semi-interactive you had a better chance of gaining interactive status again. And they had a 'really' not interactive queue for those CPU hogging processes.

Of course this requires the hardware to have a precise timing feature (something with a granularity that is finer than the process interleaving time slice time and ideally in the magnitude of instruction execution). And this scheduler wasn't using time sampling and time quantums.. (but something more like the OSX timer on demand paradigm).

--Ivan

Re:Talk about a fair share scheduler !

[RAMMS+EIN]

Which OS has this scheduler?

Re:Talk about a fair share scheduler !

[ivan_w]

Some instances of IBM's VM.. (VM/HPO, VM/ESA and z/VM.. VM/370 and VM/SP had a more simplified version with only 2 queues).

--Ivan

How It Works

[Shimmer]

The cheat program hogs the CPU by using it when the host OS isn't looking. As a result, it avoids the scrutiny of the OS's scheduler and is actually given a priority boost by some schedulers because of its good behavior.

This is accomplished by sleeping for a fixed amount in between OS clock ticks. The timeline looks like this:

1. Hardware is set to generate a "tick" event every N milliseconds.
   
2. Tick event occurs, which is handled by the OS.
   
3. OS notes which process is current running on the CPU and bills it for this tick.
   
4. OS wakes up cheating process, which is currently sleeping, and allows it to run.
   
5. Cheating process runs for M (< N) milliseconds, then requests to go to sleep for 0 milliseconds. This causes the cheating process to sleep until just after the next tick.
   
6. Repeat from step 2 above.
   

Re:How It Works

I wonder why this works at all.

First of all, the best solution would be to measure the time (obviously not in ticks, but something smaller) a user process has taken since the last tick.

If that is not possible, because a tick is so damn short, then simply charge all user processes one tick. A normal (non-cheating) process should not be activated and pre-empted more than a few times, so the few ticks it "loses" won't hurt a bit.

Re:How It Works

Like in Superman 3.

Re:How It Works

[Ancient_Hacker]

Wait a sec, doesn't the OS know when it does a task-switch and do the timing and billing right then?

Doing the billing on a clock tick sounds like a recipe for failure.

Re:How It Works

[SpaceLifeForm]

I agree. Using spacetime counters would prevent the
problem. But to do that properly and with decent accuracy
would require 64 bit counters to nanosecond level.

Re:How It Works

doesn't the OS know when it does a task-switch and do the timing and billing right then?

this is how they solve it in the paper.

Re:How It Works

[qualidafial]

The cheat program hogs the CPU by using it when the host OS isn't looking. As a result, it avoids the scrutiny of the OS's scheduler and is actually given a priority boost by some schedulers because of its good behavior.

This is accomplished by sleeping for a fixed amount in between OS clock ticks. The timeline looks like this:

1. Hardware is set to generate a "tick" event every N milliseconds.
   
2. Tick event occurs, which is handled by the OS.
   
3. OS notes which process is current running on the CPU and bills it for this tick.
   
4. OS wakes up cheating process, which is currently sleeping, and allows it to run.
   
5. Cheating process runs for M (< N) milliseconds, then requests to go to sleep for 0 milliseconds. This causes the cheating process to sleep until just after the next tick.
   
6. Repeat from step 2 above.
   

You forgot:
7. ?
8. Profit! You're welcome.

Re:How It Works

[maxwell+demon]

Unfortunately, since step 6 is an unconditional jump back to step 2, you'll never reach step 7, let alone step 8. Sorry, no profit for you. :-)

Re:How It Works

[SuiteSisterMary]

I'm suddenly reminded of those beasties in the Super Mario games that turn around, and you can sneak past, but then they whip around to look, and you have to stop moving, or they attack you.

Re:How It Works

[Ancient_Hacker]

>would require 64 bit counters to nanosecond level.

... which is exactly what the x86 RDTSC instruction does, actually, to the clock cycle level.

IMHO every CPU should have a nice wide clock cycle counter register.

Mildly interesting side-note: RDTSC can take up to 40 clock cycles! Perhaps Intel implemented the counter as the dumbest ripple-carry architecture, so it can take a considerable time to propagate all the carries. Or maybe it takes that long to ensure all the previous instructions have finished. Whatever, it's a very useful feature for real-time work, too bad it's a little bit lethargic in some implementations.

Re:How It Works

[qualidafial]

Damn.. I knew I should have added a "break;" somewhere in there...

Back at NYIT we hacked the "nice" command...

[Thagg]

We had a user who insisted on abusing the "nice" command, to run his jobs at a higher priority. Pleading and cajoling didn't work, so we decided to get creative.

We changed nice so that whenever this particular user ran it, it lowered his priority by exactly as much as he was attempting to raise it.

He stopped coming to work soon after that. I suppose he had the last laugh though -- NYIT continued to pay him for another six months.

Thad

Re:Back at NYIT we hacked the "nice" command...

[Random832]

What system is this that allows "nice" to raise priority for users other than root?

And, you do realize that "nice" with a positive argument lowers priority.

Re:Back at NYIT we hacked the "nice" command...

[pclminion]

What system is this that allows "nice" to raise priority for users other than root?

I don't know the answer, but there are a LOT of UNIX-like operating systems out there, and contrary to belief, they don't all work the same.

Re:Back at NYIT we hacked the "nice" command...

I recently discovered that my Linux installation now allows my user account to raise processes to -9, although it never let me do that when I had tried it before earlier this year. I don't know what update made the change though.

Re:Back at NYIT we hacked the "nice" command...

[td]

It's easy: chown root `which nice`;chmod +s `which nice`. I'm probably the one that set it up that way. The Lab was a closed shop, before the days of the Internet, so we didn't worry about remote access. We trusted the staff not to misbehave, and mostly that trust was justified.

Re:Back at NYIT we hacked the "nice" command...

[Random832]

That doesn't run the child process as root?

Re:Back at NYIT we hacked the "nice" command...

[td]

Yeah, so that's probably not what I did. But still, it's easy. I don't really remember the details, it was 30 years ago.

sweet!

[SolusSD]

Does it work on Solaris? If so I can run my sparse distributed memory simulator on the comp sci depts main server without waiting hours to get results!

Re:sweet!

The article seems to indicate that the cheat gets more throughput non-cheating threads on Solaris 10. However, it appears that it would be trivial to reveal such a cheat with the dtrace sched provider and one of the probes such as remain-cpu

http://docs.sun.com/app/docs/doc/817-6223/6mlkidll 8?a=view

Re:sweet!

[vtcodger]

***Does it work on Solaris? If so I can run my sparse distributed memory simulator on the comp sci depts main server without waiting hours to get results!***

According to the article, it'll work on Solaris because the Solaris scheduler works on time ticks. However, they say Solaris actually has accurate timing information available, so the system administrators may be able to see that you are the guy stealing cycles. If you do come to their attention, they probably will not be pleased.

*BSD?

[KlaymenDK]

All prevalent operating systems but Mac OS X are vulnerable How does this reflect on the BSDs? (FreeBSD for being the closest relative, and OpenBSD for its goal of trying "to be the #1 most secure operating system")

Re:*BSD?

It's not a BSD kernel, only a BSD userland, so the BSD kernel probably is vulnerable, or else not prevalent ;)

Re:*BSD?

FreeBSD for being the closest relative

MacOS is not FreeBSD. It's got a Mach kernal. It just uses lots of bits out of FreeBSD, but not the ones in question

and OpenBSD for its goal of trying "to be the #1 most secure operating system"

This looks like an efficiency issue, not a security issue.

Re:*BSD?

The paper shows how they fooled FreeBSD, which was somewhat harder

Re:*BSD?

[KlaymenDK]

FreeBSD for being the closest relative
MacOS is not FreeBSD. It's got a Mach kernal. I know, but in broad terms (especially in peoples' minds) it's still seems to be "the closest" (just as "the best" Lotus Notes database need not be "a good" database ;-p ).

and OpenBSD for its goal of trying "to be the #1 most secure operating system"
This looks like an efficiency issue, not a security issue. And yet, hogging the CPU might be indistinguishable from a DDOS -- at least in the perspective of other users.

Re:*BSD?

[fnj]

MacOS [X] [has] a Mach kernal [sic].

Bzzzzt. Wrong. Thank you for playing.

OS X has a hybrid kernel, XNU, a major part of it based on Mach, as well as incorporating sizable bits of FreeBSD, plus Apple bits that are not related to either one. It's not Mach, and it's not FreeBSD.

Re:*BSD?

[gig]

> I know, [Mac OS X is not BSD] but in broad terms (especially in peoples' minds) it's still seems to be "the closest"

Yeah but neither Mac OS X nor FreeBSD runs in the mind at this time. The BSD subsystem in Mac OS X is an optional install, a Unix compatibility layer. The kernel is called xnu and although it is descended from Mach it is also descended from Mac OS and NeXT and also it is not a microkernel.

Re:*BSD?

[Some_Llama]

bzzzt. I'll take "know it alls with a chip on their shoulder for $500" alex. "Who is fnj?"

Re:*BSD?

> OS X has a hybrid kernel, XNU, a major part

Does this XNU kernel work by throwing excess extraterrestrial aliens into volcanos and topping them off with hydrogen bombs? Me thinks France must not allow the use of Apple computers in its government, because of the national security hazard posed by the XENU kernel. They better check if there are any rogue L. Ron Hubs in their network!

Re:*BSD?

[KlaymenDK]

Hey, I jsut learned a little bit more today. Thanks! :-)

Linux 2.6.21 is probably immune too

[Wyzard]

According to the paper, the reason Mac OS X is not vulnerable is that it uses one-shot timers scheduled for exactly when the next event needs to occur, rather than periodic "ticks" with a fixed interval between them. The "tickless idle" feature introduced in Linux 2.6.21 (currently only on x86, I believe) takes the same approach, and very possibly makes Linux immune too.

(Ironically, immediately after discussing OSX's ticklessness, the paper mentions that "the Linux 2.6.16 kernel source tree contains 8,997 occurrences of the tick frequency HZ macro, spanning 3,199 files", to illustrate how difficult it is to take a tick-based kernel and make it tickless. But those kernel hackers went and did it anyway.)

The tickless feature isn't yet implemented on all architectures that Linux supports, though. I think AMD64 support for it is supposed to come in 2.6.23, along with the new CFS scheduler.

Re:Linux 2.6.21 is probably immune too

[Phantom+Gremlin]

It's also possible that OS X is a tickless kernel because of the underlying Mach microkernel, rather than because of BSD. But that's just a guess.

Wait a minute

If this program consumes CPU cycles, but it doesn't leave any indication that it does, how do I know that it works?

Re:Wait a minute

measure the time it takes until the program ends with/without cheating.

How long till the patch is in place?

How likely is it that cheat has already been in the wild for a while?

I have noticed that my CPU on some tools show ~5 minute bursts of 100% usage, but top sorted by cpu usage peaks at ~5% usage and shows 90% idle.

One Clock to Rule the ALL

[deweycheetham]

Tick Based Accounting v.s. Time Sliced/Sample Based Billing

(Reminds me of some Zombies Processes I have seen in the past.)

Fixed recently in Linux

[iabervon]

They took too long to publish this. Linux 2.6.21 (released in April) added support for using one-shot timers instead of a periodic tick, so it avoids the problem like OS X does. In addition to resolving this issue, tickless is important for saving power (because the processor can stay in a low-power state for long enough to get substantial benefits compared to the power cost of starting and stopping) and for virtual hosting (where the combined load of the guest OS scheduler ticks is significant on a system with a large number of idle guests). As a side effect, while the accounting didn't change at that point, the pattern a task has to use to fool the accounting became impossible to guess.

The CFS additionally removes the interactivity boost in favor of giving interactive tasks no extra time but rather just quick access to their available time, which is what they really benefit from.

Re:Fixed recently in Linux

from reading the CFS documentation, I suspect Ingo read (or at least heard) of this paper, which is available on-line for more than a year according to one of the comments above. this is probably what Ingo means by saying "the CFS scheduler is not prone to any of the 'attacks' that exist today" see http://kerneltrap.org/node/8059

Re:Fixed recently in Linux

[iabervon]

On the linux-kernel mailing list, there was a lot of discussion of patterns that cause bad scheduling decisions with various schedulers, generally focused on making test cases for interactivity problems for workloads people had seen. Since the authors of the paper got their initial hint from having problems with a particular real load, this and the work that Ingo is referring to independantly encountered the same issues.

Re:Fixed recently in Linux

On the linux-kernel mailing list, there was a lot of discussion of patterns that cause bad scheduling decisions with various schedulers, generally focused on making test cases for interactivity problems for workloads people had seen. Since the authors of the paper got their initial hint from having problems with a particular real load, this and the work that Ingo is referring to independantly encountered the same issues.

Perhaps you are right, but AFAIK, the LKML doesn't contain any mention of a systematic "attack": Much like the initial hint upon which the paper is apparently based, the workloads that are described in the LKML discussions are "legitimate", in that no application is doing anything malicious. (Also note that process hiding is never discussed.) So the fact Ingo chooses to use the term "attack" in this context suggests he knows something that was not mentioned in the LKML.

Re:Fixed recently in Linux

[paleshadows]

iabervon (1971) said:
They took too long to publish this. Linux 2.6.21 (released in April) added support for using one-shot timers instead of a periodic tick, so it avoids the problem like OS X does ... The CFS additionally removes the interactivity boost in favor of giving interactive tasks no extra time but rather just quick access to their available time, which is what they really benefit from.

Anonymous Cowered said:
from reading the CFS documentation, I suspect Ingo read (or at least heard) of this paper, which is available on-line for more than a year according to one of the comments above. this is probably what Ingo means by saying "the CFS scheduler is not prone to any of the 'attacks' that exist today" see http://kerneltrap.org/node/8059

iabervon (1971) said:
On the linux-kernel mailing list, there was a lot of discussion of patterns that cause bad scheduling decisions with various schedulers, generally focused on making test cases for interactivity problems for workloads people had seen. Since the authors of the paper got their initial hint from having problems with a particular real load, this and the work that Ingo is referring to independantly encountered the same issues.

Anonymous Cowered said:
Perhaps you are right, but AFAIK, the LKML doesn't contain any mention of a systematic "attack": Much like the initial hint upon which the paper is apparently based, the workloads that are described in the LKML discussions are "legitimate", in that no application is doing anything malicious. (Also note that process hiding is never discussed.) So the fact Ingo chooses to use the term "attack" in this context suggests he knows something that was not mentioned in the LKML.

Also, as was pointed out above, the paper was available on-line (in the form of a technical report) a year before the first version of Ingo's CFS and the tick-less patch. It often takes some time to publish a scientific paper, and there's nothing you can do about that.

Inevitable reply

[lilomar]

My mother is a gun-toting marxist redneck zealot astroturfer, you insensitive clod!

Re:Inevitable reply

[Some_Llama]

My mother is a Clod! you insensitive.. um.. nevermind.

How To Defend Against This Attack

[Shimmer]

The crux of the problem is that the OS uses statistical sampling to account for CPU usage by user processes. Since the sampling occurs at regular intervals, it can be avoided by a cheating program. I can see two possible defenses against this:

1. Modify the sampling mechanism so that it occurs at irregular intervals. This makes it difficult (but probably not impossible) for the cheater to avoid the sampler. (Apparently, the Mac OS uses this technique, although not for security reasons.)
   
2. Modify the accounting algorithm so that it is not statistical. Since the OS is responsible for waking/sleeping all processes, it can know exactly how much CPU time each one is using. This would completely eliminate the problem.
   

Re:How To Defend Against This Attack

Not at all. The point is that Mac OS X does NO sampling (or ticking), not that it does it "irregularly". Since it does not use ticks, it doesn't sample, but uses accurate measuring.
It's true, however, that they don't do this for security reasons, but for the other benefits one-shot timing provides.

Re:How To Defend Against This Attack

[Tacvek]

The second one is obviously the better one. I think this is basically what the CFS does. (the following is my understanding. It may be wrong) For processes it figures out what amount of time each process should have (based on the the number of processes. It tracks how much time each process is owed (in the case of 5 processes each deserves 1/5 of the total processor time). It subtracts the time used on each scheduler event (clock tick or voluntary yield.) Each clock tick the scheduler transfers control to the process owed the most time (but there is a minimum number of clock ticks before mandatory switching to prevent cache thrashing.) I presume voluntary yielding has some form of impact on the time owed amount, or else idling processes would always stay at the top of the list. Obviously there is more complications, such as nice levels, and everything.

The big thing is that is (AFAIK) tracking the exact amount of time used by each process. The only proper way to do that is to do it at both each clock tick, and each volentary yield.

One other rant I have is the naming of the so called O(1) scheduler. That scheduler was apparently O(1) but only because there is a limit to the maximum number of processes. In nearly every case it is possible to construct on O(1) algorithm if the maximum number of possibilities is known in advance. Technically the algorithm's timing was some function of the maximum number of processes. Since the maximum number of processes is a compile time constant, the algorithm is constant-time.

Hmm...

Sounds like somebody's discovered Java!

The sysadmin's best defense isn't a new scheduler

It's a baseball bat.

It doesn't even matter if these CPU-hogging processes can hide from "top" - you should already be making regular rounds of your users, even the ones you haven't caught doing anything wrong. Nobody questions it when you tell them, "You know what you did." Not when you're the one with the bat.

Tickless?

[Azuma+Hazuki]

I recently saw a "tickless" option in the kernel config. Would using that solve this problem? I'm not a kernel hacker by any means; knowing enough to run a clean Gentoo with no issues doesn't necessarily imply programming talent.

Re:Tickless?

[wild_berry]

The 'tickless' scheduler is intended to allow the processor to not do anything until it is next needed and so go into power-saving sleep until awakened. A busy processor isn't going to be scheduled to do nothing if it has one of these cheat tasks running. I don't know if the process accounting mechanism has been altered to avoid the hack from the paper -- it may be that the means by which this cheat works will change for Linux-2.6 with tickless and even the 'Fair' schedulers CFS and SD, but that it still works.

Here's the difference

[KlaymenDK]

(reply to self after RTFA)

What 'saved' the Mac OS was its different use of timing triggers. "All" other OS'es use one common steadily ticking clock as a dealer of time slots. This allows the cheat to "skip to the start of the line (queue)" every time it's had its turn.

OTOH, the Mac uses a stack of alarms set to specific points in the future, and polled in order as they occur. So the difference on Mac OS is that there's no skipping the queue, it's rather "there is no queue, we'll call you when it's your turn".

I don't know the details of the OpenBSD scheduler, but it's very likely the same (clock tick) method as used by the rest of the susceptible OS'es.

Re:Here's the difference

[Jesus_666]

Interesting. Got more informatin on how the OS X scheduler does its thing?

Re:Here's the difference

[KlaymenDK]

Interesting. Got more informatin on how the OS X scheduler does its thing? Yes, it is. But nope, I only know very little more, from reading the article.

Does Apple still publish those big "Inside Macintosh" books as they did way back when? If they do, I bet there's a gold mine in there (regardless of the colou^H^H^H^H^Hshade of your hat).

Summary and Questions

[Aaron+Isotton]

The paper is quite long, so here's a summary (take this with a grain of salt, who wants accurate information should still RTFP):

Most OSes (Linux, Solaris, Windows but not Mac OS X) are tick-based. This means that the kernel is called from hardware periodically (this is the "HZ" value you set in the Linux kernel). Some of them (Linux) simply check which process is running at each tick and compute statistics based on that ("sample-based statistics"). This means that the process running when the tick happens is billed for the entire period of the tick.

Since ticks are typically "long" (typically 1-10 ms on Linux) more than one process may run during this period. In other words, using this approach leads to inaccuracies in the process billing. If all programs "play by the rules" this works quite well on average though.

Next thing: the classic schedulers typically maintain some sort of "priority" value for each process, which decreases whenever the process is running and increases when it's not. This means that a process runs for some time, its priority decreases, and then another process (which hasn't been running for some time) takes over.

You can exploit that by always sleeping when a tick happens and running only in-between ticks. This makes the kernel thinks that your process is never running and give it a high priority. So, when your process wakes up just after a tick happened, it will have a higher priority than most other processes and be given the CPU. If it goes to sleep again just before the next tick, its priority will not be decreased. Your process will (almost) always run when it wants to and the kernel will think that it's (almost) never running and keep its priority high. You win!

Another aspect is that modern kernels (at least Linux and Windows) distinguish between "interactive" (e.g. media players) and "non-interactive" processes. They do so by looking how many times a process goes to sleep voluntarily. An interactive program (such as a media player) will have many voluntary sleeps (e.g. inbetween displaying frames) while a non-interactive program (e.g. a compiler or some number crunching program) will likely never go to sleep voluntarily. The scheduler gives the interactive programs an additional priority boost.

Since the cheating programs go to sleep very often (at every tick) the kernel thinks they're "very interactive", which makes the situation worse.

Some of the analyzed OSes - even if tick-based - do not use sample-based statistics in the kernel but they do use sample-based statistics for scheduling decisions. So the kernel sees that a process is taking more CPU than it should but it will still keep on scheduling it.

Mac OS X is not affected because it has a tickless kernel (e.g. without periodic interrupts). Because of that sample-based statistics don't work and it has to use accurate statistics, which make it unaffected by the bug.

This bug can be exploited to (at least)

- get more CPU than you're supposed to
- hinder other programs in their normal work
- hide malicious programs (such as rootkits) which do work in the background

Here's a list with the OSes (this USED TO BE a nicely formatted table, but the darned Slashdot "lameness filter" forced me to remove much of the nice lines and the "ecode" tag collapses whitespace).

OS, Process statistics, Scheduler decisions, Interactive/non-interactive decision, Affected
Linux, sample, sample, yes, yes
Solaris, accurate, sample, ?, yes
FreeBSD 4BSD, ?, sample, no?, yes
FreeBSD ULE, ?, sample, yes, yes
Windows, accurate, sample, yes, yes
Mac OS X, accurate, accurate, not needed?, yes

I guess that Mac OS X doesn't need a interactive/non-interactive distinction because of its different (tickless) approach. I assume that interactive applications can (implicitly or explicitly) can be recognized as such in a different way. Does anyone have more information on that?

How does tickless Linux compare? What abo

Re:Summary and Questions

[swinefc]

Windows is affected, but not Vista.
Vista changed to counting actual CPU cycle count register. The goal was to prevent process starvation in high I/O situations, but it also addresses this issue as well.
http://www.microsoft.com/technet/technetmag/issues /2007/02/VistaKernel/

Re:Summary and Questions

In contrast to what you say, the paper says that Windows XP (like
Vista) has cycle-accurate CPU-usage information. But the OS ignores
this information and uses tick-based (sampled) information for
scheduling. Thus, in Windows (XP and Vista), a cheater program is
visible through the 'task manager', but can nevertheless monopolize
the CPU as it pleases due to Window's (XP and Vista) aggressive
promotion of programs they erroneously identify as "interactive".

It appears that the scheduler of Windows (XP and Vista) is so
vulnerable and flawed in this respect (read section 5.3 in their
paper) that it is beyond repair. It seems that the best thing for
Microsoft is to just rewrite their scheduler from scratch.

Re:Summary and Questions

Solaris has several CPU scheduling classes. These are selected on a per-process basis, so you aren't limited to one policy for all processes like you are on Linux. Some of the classes can also be modified by system administrators to fine tune the scheduling policy for a system or a set of processes, or you can load your own if you don't like the OS-provided ones.

In the default "time-sharing" class whether a process reaches the end of its CPU quantum is a factor in the decision to either promote or demote its ranking (which determines scheduling priority and the length of its next quantum) but interactivity is determined differently. Specifically, processes associated with the X window that currently has focus are dynamically switched into the higher priority, but possibly shorter quantum, "interactive" class.

Processes can also give the scheduler hints about their behavior and even borrow time from a future time slice, within fairness limits.

Re:Summary and Questions

[EvanED]

As a Windows user, if the "fix" is to decrease the priority boost of interactive applications... I don't want it fixed.

Clever but what loss?

[redelm]

Yield()ing just before timer tick is a neat trick to grab cycles, but what use are cycles? This might have been interesting on time-share machines 20 years ago. But now cycles are in gross surplus on most machines. And processes carefully controlled on loaded machines. Until this piggy can be remotely deployed, it isn't much of a hazard.

A very simple patch is to issue RDTSC instructions at process restart and blocking syscall to count the cycles actually used. That way the extensive tick-code doesn't need to be modified.

Re:Clever but what loss?

Firstly, cycles are valuable when e.g. users share a cluster. Secondly, rdrsc has legitimate use scenarios, and many applications that need finer timing resolution than provided by gettimeofday depend on it. You can't just block it...

Re:Clever but what loss?

[m50d]

As others pointed out, this could be very useful on shared hosting.

Re:Clever but what loss?

[redelm]

I certainly wouldn't block RDTSC or interfere with the piggy's use of it. Just use it to watch'em.

As for users on a cluster/shared host, that becomes an administrative issue. A thief can be caught (process watchdog on HD or ethernet interrupts) and booted. Probably a significant punishment to the thief, most of whom don't need cycles. Those who do are tied to software.

Re:Clever but what loss?

[Roadkills-R-Us]

What use are cycles? Good question. we have a couple hundred systems in a compute farm. Our goal is to keep them 100% busy. We aren't there, but we have a high usage rate. We're getting ready to buy 50 more Core 2 Duos. Misue of this information could easily hose project deadlines.

You need to get out into a broader segment of teh computing world. 8^/

Re:Clever but what loss?

[redelm]

My buddy runs a compute farm. I know what cycles are good for. What I don't see is how a criminal could reliably/statistically profit. People who need lots of cycles need them very reliably and the data is far to valuable to trust to any fly-by-night operation.

Syntax failure.

[Valdrax]

Someone didn't preview and doesn't know how to use < and >.
Also, what's the deal with that empty block in between the "while (1)" and the "{fork ();}"?
Geez, if you're going to critique someone else's code, do a double-check on your own first.

Malware

[Wesley+Felter]

The point of the paper is that you could have some malware using 99% of your CPU and it wouldn't even show up in top.

Re:Malware

[redelm]

I think it shows in `top` as sleeping. What malware needs cycles? Mostly they want ports (esp 25 SMTP outbound) or perhaps disk (searching). Protect the resources that need protecting!

Re:Linux 2.6.21 is probably immune: RDTSC?

[redelm]

A very cheap simple patch is add RDTSC instructions at process restart and blocking syscall to count the cycles actually used. That way the extensive tick-code doesn't need to be modified.

Per-user process limits

[Valdrax]

Besides the syntax comment the other poster said, it could've also been that the school implemented per-user process limits on the machine. Linux has had this capability for years and years; most people just don't bother setting it, but universities hosting machines for programming students pretty much have to set it for exactly this sort of thing, whether it be accidental or malicious.

Re: MOD PARENT UP!

n/t

Way back in the '90s

[kithrup]

Chris Torek gave a presentation at UseNIX about how a constant quantum could result in a process having its CPU usage unaccounted.

His solution was to use a randomized quantum. Not unique per process, but randomized when the kernel starts running each process. That gave you a better accounting of the CPU time (statistics, doncha know :)), but also made this kind of attach much, much harder.

I'm somewhat disappointed that I did not see Chris and Steven's paper referenced in this one. (I believe that the title of that paper was "Randomized Sampling Clock for CPU Utilization Estimation and Code Profiling," for those who care to find it.)

Re:Way back in the '90s

I'm somewhat disappointed that I did not see Chris and Steven's paper referenced in this one. (I believe that the title of that paper was "Randomized Sampling Clock for CPU Utilization Estimation and Code Profiling," for those who care to find it.)

however they did cite "A short note on cheap fine-grained time measurement" (from mid 90s) that proposes the same randomized solution. they address this and some other possible solutions towards the end of the paper.

It's worse than you think...

[Gazzonyx]

Now I have no excuse to avoid working on the dbase (Access and VBA, ugh) I was an "Access Developer" for a while, even a consultant doing the same (yes, I would sell my soul for a dollar)
Now I have a *Real* job as part of a programming team working with a *mostly* real RDBMS.

you will be in my prayers, brother-in-arms. It's worse than that, I'm a software development major in college, working as an intern consultant. I don't even know VB, but using Real Languages gives me enough to fly by the seat of my pants. The dbase is done by some guy who can no longer be found, writes spaghetti code and has a fondness for loops while doing lookups. It's been 'upgraded' from Access '95, to '97, to 2K, yet I'm not allowed to just drop the thing into SQL Server and use .NET to put a new front end on it. It is the bane of my existence ATM. I mean, I don't even have a toolbox since you can only edit the code in the Visual Basic Editor (and I'm not going to export the hundreds of forms, reports, classes and modules one at a time because it won't let me batch). What I wouldn't give just for something with a tabbed interface! At the end of the day, I have to write some java code to feel a little 'cleaner', and then some C++ in vi to cleanse me of java. I figure I'll look back and laugh... a little nervous, insane, creepy laugh... or so I hope! Thank you for your prayers, I need them - is there a support group I can join or something? VBAA - Visual Basic for Applications Anonymous? I find hope in your message that one day, I too, shall move on to bigger and better things! A world where I can control my toolbox, a world without borders or proprietary lock-ins, a world where I don't have to leave comments like, "I have no idea what this is trying to accomplish, but toying with it is a Bad Idea, as it tends to break things that should in no way be reliant on it", a world where I can actually satisfy my caffeine cravings instead of chugging Mt. Dew by the gallon and still not have the strength to look at the code, a world where I don't have to explain why world writable files are a Bad Idea and log files should be in /var/log, not /data/ or why I prefer to admin using SSH instead of KDE or gnome.

Re:It's worse than you think...

[nomadic]

But at least you're an intern. Imagine doing that for a living.

Re:It's worse than you think...

[deroby]

...classes and modules one at a time because it won't let me batch...

In fact, it CAN be done, that is, I've done similar stuff in Excel, so I'm pretty sure that it's possible in Access too.

I'll type this while I'm trying it out on some sample MDB I found here, there might (read: WILL) be better ways !

* Go to VBA (alt-F11)
* Make sure to reference the VBIDE library (Tools Menu, References, make sure that 'Microsoft Visual Basic for Applications Extensibility vX.Y' is checked)
* Add new module to the project, and enter this code in it :

Option Compare Database
Option Explicit

Public Sub ExportAllVBAComponents()

Dim oComponent As VBComponent
Dim sFileName As String

For Each oComponent In Application.VBE.ActiveVBProject.VBComponents

Debug.Print "Exporting " & oComponent.Name & "..."

Select Case oComponent.Type
Case vbext_ComponentType.vbext_ct_StdModule
sFileName = oComponent.Name & ".bas"
Case vbext_ComponentType.vbext_ct_ClassModule
sFileName = oComponent.Name & ".cls"
Case Else
'add as needed
sFileName = oComponent.Name & ".xxx"
End Select

oComponent.Export ("c:\temp\" & sFileName)
Next

End Sub

The harder part is importing them again. You don't want to 'change' the code you're executing right now, so you'll need to come up with a way to exclude this module from the Import routine. One way would be to simply hard-code the module name, however, I think I'd rather put a flag on top of the file that says to exclude it. That way you can have multiple components that are 'immune to importing without having to make changes to the import module each time. Something along these lines :

Public Sub ImportAllVBAComponents()

Dim oComponent As VBComponent
Dim aoComponent() As VBComponent
Dim lCounter As Long
Dim sFileName As String

'make copy of (pointers to) the projects components
ReDim aoComponent(0 To Application.VBE.ActiveVBProject.VBComponents.Count )
For lCounter = 1 To Application.VBE.ActiveVBProject.VBComponents.Count
Set aoComponent(lCounter) = Application.VBE.ActiveVBProject.VBComponents(lCoun ter)
Next

For lCounter = 1 To UBound(aoComponent)
Set oComponent = aoComponent(lCounter)

If oComponent.CodeModule.Lines(1, 1) = "'SkipMeDuringImport !!" Then
Debug.Print "Skipping " & oComponent.Name & " because the 'DoNotImport'-flag was found"
Else
Select Case oComponent.Type
Case vbext_ComponentType.vbext_ct_StdModule
sFileName = oComponent.Name & ".bas"
Case vbext_ComponentType.vbext_ct_ClassModule
sFileName = oComponent.Name & ".cls"
Case Else
'add as needed

Re:It's worse than you think...

[Gazzonyx]

Thank you very much! I'll give this a try. I salute you! P.S. - I actually kinda like the SQL Studio mgmt... it's a fisher-price GUI, but it gets out of my way so much more than the VB IDE does, and I can tab up things as I go along.

Hmmm...

[JavaRob]

That might make an interesting sig, actually.

Re:Hmmm...

Wrong n00b!

Re:How It Works for Kids

[bussdriver]

Red Light Green Light.
Your goal is to run as quickly as you can towards me. When I turn and face you and say "Red Light" you must stop moving and if I catch you moving I make you start over from the beginning. When I'm not looking and say "Green Light" you can move again.

In this case, the goal is to cover the greatest total distance instead of just reaching my position; so we could adapt it from running to eating: The "winner" is the one who eats the most and the losers end up hungry.

Use a bunch of threads

[c0d3r]

Apparently windoze uses thread based scheduling, so a program with more threads gets more priority.. I belive that in most Unixes its process based, depending on the thread package implementation, this may or may not work.

M

MOD PARENT UP

[Actually,+I+do+RTFA]

This, and the earlier comments about the latest Linux versions becoming tickless are ruining my plans for making a thumbdrive of nifty utilities.

Re:How It Works for Kids

[MarsDefenseMinister]

How about a baseball analogy? You steal bases by running when the ball's not in the air.

A Car analogy? I got nothin.

Dual core

[tepples]

Obviously, your CPU would run at 198%...

Wait. Something's wrong here. Not if you have two cores, it isn't. If two cheating processes each take 99 percent of a core, then their total is 198 percent.

Why is this new?

[Quixadhal]

Nothing new here.

I remember seeing this done on the VAX/VMS mainframe back in 1987. In that environment, it simply meant that you kept track of your timeslice and voluntarily gave it up before the scheduler took it away from you. That meant you got put at the top of the run queue, and unless someone else was doing the same thing, you were the next program to run. Voila... 99% CPU for you!

Of course, ordinary users were given a limited amount of CPU time (as well as connect time, disk space, etc), so for the ordinary student, this just meant they used it up in a day or two instead of having a whole month. But then again, for class accounts, they could usually beg for more.

Under unix variants, one could do the same by implementing cpu quotas at the user level. I've seen network packet quotas, and I'm sure someone out there has done cpu quotas along the same lines.

Mod funny!

[EvanED]

Bravo, sir

k thx bye

[Doctor+O]

This must be the best summary I've ever seen for any FA. That's all I wanted to know.

NEXT!

sounds familar

[Some_Llama]

I could swear i have seen this already in windows XP, i work as an It tech so i see a lot of windows systems (pity me?) anywho, i have come across a few systems where task manager shows the CPU pegged at 80-100% but no process in the process list is using it (sorted by CPU time), even the idle process shows 75% or so.. the system is slow as heck so I tend to believe the over all usage stats but it should show "something" using the processor.

I would say (from my hazy memory) that the system suffered from malware too, as after a cleaning of the system it would be gone (the problem).

I don't know for sure if the system was just too busy to report actual process usage or there was something hidden from the task manager so you couldn't kill it, but i have seen this a few times..

so how much is this?

[glitch23]

like so 'cheat 99% program' thereby insuring that the programs would get 99% of the CPU cycles, regardless of the presence of any other applications in the system, and in some cases (like Linux), in a way that keeps the program invisible from CPU monitoring tools

So what's the deductible on this insurance?

For some people

[Roadkills-R-Us]

That doesn't help if you can't upgrade to 2.6 on production machines...

Regulated Computations

[throbber]

The paper says on page five, or in section section 2.2:

Possible applications include cracking encryptions in a matter of hours or days, running nuclear simulations, and illegally executing a wide range of otherwise regulated computations.

Just what are the regulated computations that are being talked about?

VAX Hack / Windows Immunity

[Cassini2]

I heard about the same VAX hack at about the same time. The idea of boosting process priority by synchronizing to the CPU ticks isn't all that new.

Of course, in 1987 Windows was completely immune to this problem. It had non-preemptive cooperative scheduling. :-)

Re:The sysadmin's best defense isn't a new schedul

[level_headed_midwest]

A cattle prod works better than a baseball bat, but locking the users in the tape safe is the only sure way to ensure that they can't steal CPU cycles.

Re:More bad Lunix security

Is that you, BillyG?

TFA (pdf) says `the Windows family` is also vulnerable. Note how, in the list of operating systems, `the Windows family` comes last, looking almost like an afterthought, or an also-ran.

By the way, Bill. Any news on when Notepad is going to become a proper text editor, rather than just a toy?

Damn!

My computer just freezed deadly when I was reading the paper. Have to use teh big red button.

Solaris doesn't suffer from this

[lokedhs]

This is quite old actually. The trick is that you can fool systems monitoring tools that use samplig by going to sleep at the exact time when the tool performs its sample.

If you use Solaris, the top replacement "prstat" has a flag -m that enables microstate accounting. This will give you the exact CPU time used, and not an estimate.

If you want to go further, you can use DTrace, which allows you to monitor in detail exactly what is going on. This is also unaffected by any tricks played by the process.

Re:Solaris doesn't suffer from this

This is quite old actually. The trick is that you can fool systems monitoring tools that use samplig by going to sleep at the exact time when the tool performs its sample. If you use Solaris, the top replacement "prstat" has a flag -m that enables microstate accounting. This will give you the exact CPU time used, and not an estimate. If you want to go further, you can use DTrace, which allows you to monitor in detail exactly what is going on. This is also unaffected by any tricks played by the process.

It seems you are missing the point. Solaris is vulnerable to the attack (= any "cheater" can monopolize the CPU) just like all the rest of the ticking OSs, despite the fact processes are "visible" within this OS: As pointed out by the paper, Solaris indeed contentiously maintains accurate accounting. The point is that it does not use this accurate information for scheduling. Instead, it uses sampled based information. The fact that the accurate information is there and is not used, only goes to show you that it's not "quite old actually". Had they known it, they would have fixed it. And it's an easy fix (a few dozens of lines of code), if you believe the paper.

Re:Solaris doesn't suffer from this

[lokedhs]

Yes, I did miss the point and I thank you for pointing that out.

I know how the default Solaris scheduler works and yes, it is vulnerable to this. However, I'm not so sure it's really a problem. I suppose it can become a problem for systems where you have a lot of users sharing the CPU, but other than that it's really a non-issue in most cases.

Perhaps Sun should ship a specific scheduling class that can be used for untrusted processes (although I suppose FIXED can somewhat fulfill this requirement).

Re:Solaris doesn't suffer from this

[paleshadows]

Yes, I did miss the point and I thank you for pointing that out. I know how the default Solaris scheduler works and yes, it is vulnerable to this. However, I'm not so sure it's really a problem. I suppose it can become a problem for systems where you have a lot of users sharing the CPU, but other than that it's really a non-issue in most cases.

It's definitely a problem in the common scenario where users share CPUs, because currently Solaris allows one user to starve all the rest!

Perhaps Sun should ship a specific scheduling class that can be used for untrusted processes (although I suppose FIXED can somewhat fulfill this requirement).

Yes, fixing the current scheduler seems the best way to go. All they need to do is use the accurate information they already maintain also for scheduling.

Re:Solaris doesn't suffer from this

[lokedhs]

I was referring to the "fixed priority scheduleing class" btw. :-) But yeah, you're right in what you said.

I think it works this way

[Frozen+Void]

when its time to check what process is running,the program (which is cheating and already knows the time of check)just sleeps.
That way it looks like it never uses cpu.

Some poster above claims Vista is unaffected

Which is possibly true as this paper was published before Vista was out. However, Vista securety is more about preventing those proseses from turing your comp into a spam zombie.

Analogies

[bussdriver]

Teenagers:
Start after parents leave, finish before the predicted time they come back.

Cars:
You SPEED when you are in areas without any cops watching.

Baseball:
Steal bases while the pitcher is not looking. diff: pitcher needs to forget what base you were previously on.

Red Light Green Light:
kid playing the sign is the scheduler. diff: being winner would be the one with the most distance traveled (could change game to eating candy.)