Hi, I have a security question about pointers and memory protection.
Can pointers point to any given memory address or are there security mechanisms in the OS which will detect this. Can one process access and change another process data in memory by simply using a pointers?
The memory is a shared resource between the OS and all its processes, can one process cause another process to fail by accessing its memory?
Appreciate feedback.
_____
Sizqo
Pointers and memory protection
-
Pype.Clicker
- Member
- Posts: 5964
- Joined: Wed Oct 18, 2006 2:31 am
- Location: In a galaxy, far, far away
- Contact:
well, there's something called "paging" that typically prevents you from doing what you've mentionned. The physical memory isn't shared at all: it's rather controlled by the OS which will fill each process' mapping tables so that it only sees what it is allowed to see.
Generating pointers in the wild will (normally) lead to areas of the virtual address space that are mapped to nothing (and which the OS intercepts as being a fault from the process).
Generating pointers in the wild will (normally) lead to areas of the virtual address space that are mapped to nothing (and which the OS intercepts as being a fault from the process).
-
blackcatcoder
- Member
- Posts: 132
- Joined: Wed Nov 03, 2004 12:00 am
- Location: Austria
- Contact:
as already mentioned paging can prevent such errors and paging can also allow to share pages.
every time when a process tries to use an memory ares of another process an exeption will be cause so the operating system can decide what to do.
if you're going to use paging read the intel manuals on how you can set up page directories and page tables.
every time when a process tries to use an memory ares of another process an exeption will be cause so the operating system can decide what to do.
if you're going to use paging read the intel manuals on how you can set up page directories and page tables.
Paging has been mentioned above.
Usually processes are mapped in their own address space, so it is impossible for one process to access anothers memory. as the virtual address 0x80000000 points to a different physical page in memory than another process. if you do just set a pointer to some arbitrary address, you will most likely either get a page fault meaning the page hasn't been mapped into memory, or you will trigger a protection fault if you try to access memory in a lower ring.
Usually processes are mapped in their own address space, so it is impossible for one process to access anothers memory. as the virtual address 0x80000000 points to a different physical page in memory than another process. if you do just set a pointer to some arbitrary address, you will most likely either get a page fault meaning the page hasn't been mapped into memory, or you will trigger a protection fault if you try to access memory in a lower ring.
Thx for the feedback so far. However, consider this short code:
Here, an array with two elements have been declared, but it is used as if it had three elements. The output will have the value = 9, at the bottom. It appears that the address of the variable output and array[2] are the same.
Is this allowed because the variables are within the same scope?
Another thing, can a process retreive information from the OS of which part of the memory it uses, what it contains and how big it is?
Code: Select all
int input[2];
int output = 2;
input[0] = 3;
input[1] = 4;
output = input[0] + input[1] + input[2];
Is this allowed because the variables are within the same scope?
Another thing, can a process retreive information from the OS of which part of the memory it uses, what it contains and how big it is?
-
Pype.Clicker
- Member
- Posts: 5964
- Joined: Wed Oct 18, 2006 2:31 am
- Location: In a galaxy, far, far away
- Contact:
this is possible because all your variables belong to the same program. There's no way for the OS (and not even for the processor) to detect you're actually going beyond an array bound, as the array only exists in the developer's mind and in the source code, not in the binary program.
(though i'd have bet GCC would have issued a warning in such an obvious case, i didn't find the flags to have it, and yes, i tried -pedantic -Wall)
(though i'd have bet GCC would have issued a warning in such an obvious case, i didn't find the flags to have it, and yes, i tried -pedantic -Wall)
that depends on the OS, of course. In Linux, /proc/self/maps would be pretty close iiuuc: that would show you something likecan a process retreive information from the OS of which part of the memory it uses, what it contains and how big it is
Now if you'd like to see which variable stands at what address and how large it is (not only "okay, this is the standard library and here's the file i mapped in memory"), then you'll need to compile your program with debugging support and parse debugging sections like a debugger would do. And no, the OS typically doesn't help you doing that./home/pype> cat /proc/self/maps
08048000-0804c000 r-xp 00000000 03:41 15462 /bin/cat
0804c000-0804d000 rw-p 00003000 03:41 15462 /bin/cat
0804d000-0806e000 rw-p 0804d000 00:00 0 [heap]
4da4e000-4da62000 r-xp 00000000 03:41 136802 /lib/ld-2.3.5.so
4da62000-4da64000 rw-p 00014000 03:41 136802 /lib/ld-2.3.5.so
4da66000-4db8e000 r-xp 00000000 03:41 136803 /lib/tls/i686/cmov/libc-2.3.5.so
4db8e000-4db8f000 r--p 00128000 03:41 136803 /lib/tls/i686/cmov/libc-2.3.5.so
4db8f000-4db92000 rw-p 00129000 03:41 136803 /lib/tls/i686/cmov/libc-2.3.5.so
4db92000-4db94000 rw-p 4db92000 00:00 0
b7f99000-b7f9a000 rw-p b7f99000 00:00 0
b7fab000-b7fad000 rw-p b7fab000 00:00 0
bff97000-bffad000 rw-p bff97000 00:00 0 [stack]
ffffe000-fffff000 ---p 00000000 00:00 0 [vdso]