[TALK] Proving fundamental Unix guarantees

Chris Maltby chris at sw.oz.au
Mon Jun 30 17:44:40 EST 2003 

> On 2003-Jun-30 11:44:16 +1000, Peter Jeremy <peter.jeremy at alcatel.com.au> wrote:
> >In response to a query, one of our Unix vendors has stated
> >"OS-name-deleted-to-protect-the-guilty does not guarantee that all
> >memory given to a program is necessarily initialised" and "there are
> >regions known as BSS which hold data (i.e. program variables) which
> >ARE NOT INITIALISED.  What this means is that these variables will
> >hold whatever was in that memory location before it was allocated to
> >them. ...  This is designed behaviour".

On Mon, Jun 30, 2003 at 04:28:30PM +1000, Peter Jeremy wrote:
> Based on the replies I have received, maybe I should have included
> more information.

Indeed.

> We have bumped into a problem where a warm reboot (eg "shutdown -r")
> gives different behaviour to a cold reboot (eg "shutdown -h"/boot).
> According to the vendor, the only difference is that in the latter
> case physical RAM will be initialised, whereas in the former case it
> retains the previous values.  I have suggested that this appears to
> indicate that the kernel is using memory without initialising it -
> which is a bug in the kernel.  The vendor has suggested that the
> kernel passes memory to the application without initialising it and
> therefore it is a bug in the application.

This is an entirely different class of problem. The OS must take care
of such things as clearing its own memory itself (unless the boot
loader does it). Given that after the power has been cycled DRAM
will be guaranteed to be random junk (and parity/ECC errors) all
sensible OSs should start by zeroing all accessible memory...

What you are describing is 99.9% likely to be an OS problem.

> Whilst I agree that there may be bugs in the application, having a
> kernel pass uninitialised memory to a userland process is a major
> security hole.  (Want another process to be given a copy of your
> su/pgp/ssh processes memory image?)  I have confirmed that as far as I
> can determine (and as expected), all memory is initialised before
> being passed to the application.

That would be the correct behaviour for the OS.

> Definitely the C standards require uninitialised static variables
> (which are normally stored in BSS) to be initialised as if they were
> assigned zero (which is zero on most systems) - though the mechanism
> isn't specified.  I was hoping that some of the POSIX or SVID
> standards might say some words on the the kernel/userland interface.

I'm sure it's there somewhere...

Chris

More information about the Talk mailing list