Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secretly Monopolizing the CPU Without Being Root

Posted by CmdrTaco on from the because-you-shouldn't dept.

An anonymous reader writes "This year's Usenix security symposium includes a paper that implements a "cheat" utility, which allows any non-privileged user to run his/her program, e.g., like so 'cheat 99% program' thereby insuring that the programs would get 99% of the CPU cycles, regardless of the presence of any other applications in the system, and in some cases (like Linux), in a way that keeps the program invisible from CPU monitoring tools (like 'top'). The utility exclusively uses standard interfaces and can be trivially implemented by any beginner non-privileged programmer. Recent efforts to improve the support for multimedia applications make systems more susceptible to the attack. All prevalent operating systems but Mac OS X are vulnerable, though by this kerneltrap story, it appears that the new CFS Linux scheduler attempts to address the problem that were raised by the paper."

10 of 250 comments (clear)

  1. Re:What does this mean? by pauljlucas · · Score: 5, Informative

    What?! I'm really not sure what's being said here. I understand the idea behind this, but the wording of the Slashdot piece is difficult to penetrate, even by Slashdot standards.
    I hard a hard time reading it as well, but then I saw it (kind of like when you suddenly "see" the picture in a stereogram). Proper punctuation, whitespace, formatting, and font changes help a lot. It should have been:

    .. allows any non-privileged user to run his/her program, like so:

    cheat 99% program

    thereby insuring ...

    where cheat is the name of the compiled utility that lets you "cheat", 99% is an argument to cheat, and program is the name of some other program that you want to run at 99% of the CPU. I.e., the command line syntax resembles renice.
    --
    If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
  2. Re:What does this mean? by Da+Fokka · · Score: 5, Funny

    If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.


    You gun-toting marxist redneck zealot astroturfers make me sick!

  3. Talk about a fair share scheduler ! by ivan_w · · Score: 5, Insightful

    I wasn't aware the schedulers for those systems were so deficient !

    In my days (yes, I'm an old fart) - the schedulers had basic principles :

    - Voluntary yielding led you to get accounted for the time you spent running.
    - You could stay in the interactive queue for only a certain amount of time. After some amount of time had passed (a few secs) you were either bumped to non-interactive if you were running (with longer time slices but lower priority) or removed off the scheduler list for good (if the time spent there was idling). They had a special 'idle but interactive' (not eligible for dispatching) queue for that.
    - Scheduling a new task restarted a new time slice

    That particular scheduler even had a 3 queue system so that if you got accidentally bumped into the non-interactive queue or if your process was semi-interactive you had a better chance of gaining interactive status again. And they had a 'really' not interactive queue for those CPU hogging processes.

    Of course this requires the hardware to have a precise timing feature (something with a granularity that is finer than the process interleaving time slice time and ideally in the magnitude of instruction execution). And this scheduler wasn't using time sampling and time quantums.. (but something more like the OSX timer on demand paradigm).

    --Ivan

  4. Re:Google-cache article by brunascle · · Score: 5, Informative

    and for those who dont have the time to read the paper...

    it works by avoiding running during the exact moment of a clock tick (which would be the moment when CPU usage per-process is checked). to start running immediately after a clock tick is (apparently) easy, but to stop before the next tick is harder. the paper suggests using some kind of get_cycles assembly instruction to count how many CPU cycles there are per clock tick, and use that number to gauge when the next clock tick is going to occur by counting how many CPU cycles have elapsed.

  5. How It Works by Shimmer · · Score: 5, Informative
    The cheat program hogs the CPU by using it when the host OS isn't looking. As a result, it avoids the scrutiny of the OS's scheduler and is actually given a priority boost by some schedulers because of its good behavior.

    This is accomplished by sleeping for a fixed amount in between OS clock ticks. The timeline looks like this:
    1. Hardware is set to generate a "tick" event every N milliseconds.
    2. Tick event occurs, which is handled by the OS.
    3. OS notes which process is current running on the CPU and bills it for this tick.
    4. OS wakes up cheating process, which is currently sleeping, and allows it to run.
    5. Cheating process runs for M (< N) milliseconds, then requests to go to sleep for 0 milliseconds. This causes the cheating process to sleep until just after the next tick.
    6. Repeat from step 2 above.
    --
    The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
  6. Re:Old news by Anonymous Coward · · Score: 5, Informative

    Publishing papers takes a lot of time, as anybody who ever done it would know... For example, the post you mention is from Feb 2007. By then, according to the usenix-security call for papers, the paper has already been submitted. Also, google-ing "cheat" around revealed this technical report: http://leibniz.cs.huji.ac.il/anon?View=1&num=1&pid %5B1%5D=870&abstract=1 (seems the initial version of the paper) which is dated May 2006.

  7. Re:What does this mean? by networkBoy · · Score: 5, Interesting

    Why not leave the post but allow a "retracted" tickbox? Thus at least the owner of the comment can effectively say "I was wrong, boneheaded, whatever" without having to post another comment and wait two minutes to do it? and all that shows up it a one-liner under the comment:
    This comment has been retracted by its poster

    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  8. Linux 2.6.21 is probably immune too by Wyzard · · Score: 5, Informative

    According to the paper, the reason Mac OS X is not vulnerable is that it uses one-shot timers scheduled for exactly when the next event needs to occur, rather than periodic "ticks" with a fixed interval between them. The "tickless idle" feature introduced in Linux 2.6.21 (currently only on x86, I believe) takes the same approach, and very possibly makes Linux immune too.

    (Ironically, immediately after discussing OSX's ticklessness, the paper mentions that "the Linux 2.6.16 kernel source tree contains 8,997 occurrences of the tick frequency HZ macro, spanning 3,199 files", to illustrate how difficult it is to take a tick-based kernel and make it tickless. But those kernel hackers went and did it anyway.)

    The tickless feature isn't yet implemented on all architectures that Linux supports, though. I think AMD64 support for it is supposed to come in 2.6.23, along with the new CFS scheduler.

  9. Summary and Questions by Aaron+Isotton · · Score: 5, Informative

    The paper is quite long, so here's a summary (take this with a grain of salt, who wants accurate information should still RTFP):

    Most OSes (Linux, Solaris, Windows but not Mac OS X) are tick-based. This means that the kernel is called from hardware periodically (this is the "HZ" value you set in the Linux kernel). Some of them (Linux) simply check which process is running at each tick and compute statistics based on that ("sample-based statistics"). This means that the process running when the tick happens is billed for the entire period of the tick.

    Since ticks are typically "long" (typically 1-10 ms on Linux) more than one process may run during this period. In other words, using this approach leads to inaccuracies in the process billing. If all programs "play by the rules" this works quite well on average though.

    Next thing: the classic schedulers typically maintain some sort of "priority" value for each process, which decreases whenever the process is running and increases when it's not. This means that a process runs for some time, its priority decreases, and then another process (which hasn't been running for some time) takes over.

    You can exploit that by always sleeping when a tick happens and running only in-between ticks. This makes the kernel thinks that your process is never running and give it a high priority. So, when your process wakes up just after a tick happened, it will have a higher priority than most other processes and be given the CPU. If it goes to sleep again just before the next tick, its priority will not be decreased. Your process will (almost) always run when it wants to and the kernel will think that it's (almost) never running and keep its priority high. You win!

    Another aspect is that modern kernels (at least Linux and Windows) distinguish between "interactive" (e.g. media players) and "non-interactive" processes. They do so by looking how many times a process goes to sleep voluntarily. An interactive program (such as a media player) will have many voluntary sleeps (e.g. inbetween displaying frames) while a non-interactive program (e.g. a compiler or some number crunching program) will likely never go to sleep voluntarily. The scheduler gives the interactive programs an additional priority boost.

    Since the cheating programs go to sleep very often (at every tick) the kernel thinks they're "very interactive", which makes the situation worse.

    Some of the analyzed OSes - even if tick-based - do not use sample-based statistics in the kernel but they do use sample-based statistics for scheduling decisions. So the kernel sees that a process is taking more CPU than it should but it will still keep on scheduling it.

    Mac OS X is not affected because it has a tickless kernel (e.g. without periodic interrupts). Because of that sample-based statistics don't work and it has to use accurate statistics, which make it unaffected by the bug.

    This bug can be exploited to (at least)

    - get more CPU than you're supposed to
    - hinder other programs in their normal work
    - hide malicious programs (such as rootkits) which do work in the background

    Here's a list with the OSes (this USED TO BE a nicely formatted table, but the darned Slashdot "lameness filter" forced me to remove much of the nice lines and the "ecode" tag collapses whitespace).

    OS, Process statistics, Scheduler decisions, Interactive/non-interactive decision, Affected
    Linux, sample, sample, yes, yes
    Solaris, accurate, sample, ?, yes
    FreeBSD 4BSD, ?, sample, no?, yes
    FreeBSD ULE, ?, sample, yes, yes
    Windows, accurate, sample, yes, yes
    Mac OS X, accurate, accurate, not needed?, yes

    I guess that Mac OS X doesn't need a interactive/non-interactive distinction because of its different (tickless) approach. I assume that interactive applications can (implicitly or explicitly) can be recognized as such in a different way. Does anyone have more information on that?

    How does tickless Linux compare? What abo

  10. Re:Google-cache article by brunascle · · Score: 5, Funny

    it run when OS not looking