User: Password:
Subscribe / Log in / New account



Posted Nov 20, 2009 9:32 UTC (Fri) by anselm (subscriber, #2796)
In reply to: eclone() by socket
Parent article: eclone()

If PIDs are increased sequentially, unrelated programs can use the rate of process creation as a Ā»covert channelĀ« for (low-bandwidth) communication. Randomised PIDs prevent that.

(Log in to post comments)


Posted Nov 20, 2009 12:28 UTC (Fri) by quotemstr (subscriber, #45331) [Link]

Couldn't you use fluctuating number of processes as an even-lower-bandwidth covert channel?


Posted Nov 20, 2009 12:43 UTC (Fri) by anselm (subscriber, #2796) [Link]

Maybe. Off the top of my head, the problems with that might be that

  • other processes will fork, too, so especially on a busy system the signal-to-noise ratio will probably be much worse, and
  • you may not be allowed to create as many simultaneous processes as you need to make yourself noticeable.

The main difference is that with sequentially numbered PIDs, the receiver of the covert channel only needs to fork(2) periodically and look at the returned child PID to find out how many processes have been created in the meantime; it does not need to be able to find out how many processes are running on the system, let alone be able to find out how many child processes another process has (when a suitably hardened system may prevent it from finding out any details about that process at all, which is why the covert channel is necessary to begin with).

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds