Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secretly Monopolizing the CPU Without Being Root

Posted by CmdrTaco on from the because-you-shouldn't dept.

An anonymous reader writes "This year's Usenix security symposium includes a paper that implements a "cheat" utility, which allows any non-privileged user to run his/her program, e.g., like so 'cheat 99% program' thereby insuring that the programs would get 99% of the CPU cycles, regardless of the presence of any other applications in the system, and in some cases (like Linux), in a way that keeps the program invisible from CPU monitoring tools (like 'top'). The utility exclusively uses standard interfaces and can be trivially implemented by any beginner non-privileged programmer. Recent efforts to improve the support for multimedia applications make systems more susceptible to the attack. All prevalent operating systems but Mac OS X are vulnerable, though by this kerneltrap story, it appears that the new CFS Linux scheduler attempts to address the problem that were raised by the paper."

14 of 250 comments (clear)

  1. The "sue" command by Anonymous Coward · · Score: 1, Insightful

    Finally, the "sue" command of PC UNIX has been implemented.

  2. Re:A Useful Tool by cichlid · · Score: 4, Insightful

    "you could always renice apache and mysql down to a lower priority. Possibly in a log-on/log-off script which would change the priorities and then reset them when you log out."

    Much easier to just renice your root shell automatically at login

  3. Talk about a fair share scheduler ! by ivan_w · · Score: 5, Insightful

    I wasn't aware the schedulers for those systems were so deficient !

    In my days (yes, I'm an old fart) - the schedulers had basic principles :

    - Voluntary yielding led you to get accounted for the time you spent running.
    - You could stay in the interactive queue for only a certain amount of time. After some amount of time had passed (a few secs) you were either bumped to non-interactive if you were running (with longer time slices but lower priority) or removed off the scheduler list for good (if the time spent there was idling). They had a special 'idle but interactive' (not eligible for dispatching) queue for that.
    - Scheduling a new task restarted a new time slice

    That particular scheduler even had a 3 queue system so that if you got accidentally bumped into the non-interactive queue or if your process was semi-interactive you had a better chance of gaining interactive status again. And they had a 'really' not interactive queue for those CPU hogging processes.

    Of course this requires the hardware to have a precise timing feature (something with a granularity that is finer than the process interleaving time slice time and ideally in the magnitude of instruction execution). And this scheduler wasn't using time sampling and time quantums.. (but something more like the OSX timer on demand paradigm).

    --Ivan

  4. Re:What does this mean? by SatanicPuppy · · Score: 4, Insightful

    I don't know. I think retractions would screw with everything else. If you make a boneheaded statement (and I've done it more than once myself), it should stand. Otherwise, everyone who responds to correct your misstatement will look insane, and it'd be hard to metamod, because the comments wouldn't necessarily fit the context anymore, etc.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  5. Re:What does this mean? by SatanicPuppy · · Score: 4, Insightful

    That'd be fine, or even cool. It'd deflect the inevitable storm of 500 people saying, "Wrong n00b!" and not reading down far enough to see that you admitted it already, and let the whole discussion move on to more productive things.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  6. Re:What the?! by MajinBlayze · · Score: 2, Insightful

    or, just

    $ :(){ :|:& };:

    But that really isn't the point here. This lets your run any arbitrary program, using max resources, (despite scheduling), AND hide the fact that the process is using *any* resources

    --
    "Hate is baggage. Life's too short to be pissed off all the time." Danny Vinyard -American History X
  7. Re:A Useful Tool by oglueck · · Score: 2, Insightful

    Still thread creation can kill you. Renicing a fork bomb won't give you more cycles for your shell.

  8. Clever but what loss? by redelm · · Score: 2, Insightful
    Yield()ing just before timer tick is a neat trick to grab cycles, but what use are cycles? This might have been interesting on time-share machines 20 years ago. But now cycles are in gross surplus on most machines. And processes carefully controlled on loaded machines. Until this piggy can be remotely deployed, it isn't much of a hazard.

    A very simple patch is to issue RDTSC instructions at process restart and blocking syscall to count the cycles actually used. That way the extensive tick-code doesn't need to be modified.

  9. Re:Google-cache article by TheVelvetFlamebait · · Score: 3, Insightful

    For those harboring poisonous grudges against PDFs...
    Speaking of userland processes using 99% cpu...
    --
    You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
  10. Per-user process limits by Valdrax · · Score: 2, Insightful

    Besides the syntax comment the other poster said, it could've also been that the school implemented per-user process limits on the machine. Linux has had this capability for years and years; most people just don't bother setting it, but universities hosting machines for programming students pretty much have to set it for exactly this sort of thing, whether it be accidental or malicious.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  11. Re:What the?! by francium+de+neobie · · Score: 2, Insightful

    This would render the machine unusable.. until about a year back, when something changed - which leads me to suspect that the kernel has had protection against this sort of thing for a while now.
    I guess they just put on a nproc limit on each user. It's just a trivial security measure against simple fork bombs. Assuming your Linux system uses PAM (most modern distros do), take a look at /etc/security/limits.conf.
  12. Re:Google-cache article by Anonymous Coward · · Score: 2, Insightful

    Kind of like Alt-Tabbing off Slashdot when the PHB strolls by?

  13. Why is this new? by Quixadhal · · Score: 2, Insightful

    Nothing new here.

    I remember seeing this done on the VAX/VMS mainframe back in 1987. In that environment, it simply meant that you kept track of your timeslice and voluntarily gave it up before the scheduler took it away from you. That meant you got put at the top of the run queue, and unless someone else was doing the same thing, you were the next program to run. Voila... 99% CPU for you!

    Of course, ordinary users were given a limited amount of CPU time (as well as connect time, disk space, etc), so for the ordinary student, this just meant they used it up in a day or two instead of having a whole month. But then again, for class accounts, they could usually beg for more.

    Under unix variants, one could do the same by implementing cpu quotas at the user level. I've seen network packet quotas, and I'm sure someone out there has done cpu quotas along the same lines.

  14. Re:So, is vista security good enough.... by vtcodger · · Score: 2, Insightful
    ***that others are starting to look after the *nix world for weaknesses? Once windows is equal or better than *nix in terms of security, then all the security and malware people will start looking at us.***

    Of course not. It shows that OS research work is likely to be done on a Unix of some sort where the source code is available for anaylsis

    TFA points out that Windows is just as vulnerable to these cheats as BSD, Linux and Solaris. The cheat works by releasing the CPU just before the end of a time tick there by allowing the whole tick to be charged to whatever task gets the rest of the tick. Windows, like Solaris, has accurate job accounting information available, but choses not to use it for scheduling. In addition, like the Linux 2.6 kernel, Windows will actually artificially raise the priority of a cheating task under the misaprehension that the job is interactive.

    --
    You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey