Ext 2/3 overwriting remnant data & use of data blocks - security
Mermell, Todd
mermell at amazon.com
Fri Oct 8 19:04:42 UTC 2004
Hi there,
In your example, you are using dd, which is going to truncate the file each time, resulting in reallocation of the data blocks:
open("./<somefile>", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1
(where <somefile> is an existing file)
You might want to check what method you are using to overwrite the file, i.e. C, perl, shell, etc. If you're making the read/write or pread/pwrite system calls, then you might want to just check what flags are being passed to "open."
-Todd
-----Original Message-----
From: hell know [mailto:sp0ck1701 at yahoo.com]
Sent: Thu 10/7/2004 6:33 PM
To: ext3-users at redhat.com
Cc:
Subject: Ext 2/3 overwriting remnant data & use of data blocks - security
Greetings all-
I am conducting security testing on a device that uses Linux 2.4 with ext3. I am testing secure overwrite of remnant data in temporary files, but have run into a real good stumpper in the way Ext allocates data blocks. I've got 10 yrs of *NIX behind me, several with Linux, and this has really got me perplexed as I can't find any documentation explaining the subject enough for me to figure out what's going on so I'm hoping someone can help shed some light on this... any help would be appreciated!
BACKGROUND:
Device under test uses temporary spool files. When those files are no longer needed, they are to be overwritten by the three-pass DOD overwrite (pattern '35', 'ca', '97'), then deleted. (Incase anyone out there asks the obvious question, I am aware that Ext supports a "secure" attribute but unfortunately that isn't enough for our purposes. It HAS to be a 3-pass overwrite... afterall that answer would be TOO EASY ;-). Also, the file is written and overwritten sequentially- that may be important to know when I get to the problem.
What is supposed to happen is this:
1) File is created. Inode allocated. Data blocks allocated, etc. Initial data is put into the file. {For example, lets say the file occupies data blocks 100 - 200 }
2) File is read/processed. (And is then no longer needed)
3) File is overwritten three times from beginning to end to overwrite the remnant data:
3a) with pattern '35'
{ If I go in with dd and check data blocks 100-200 I should see all '35' }
3b) with pattern 'ca' { data blocks 100-200 should be all 'ca' }
{ If I go in with dd and check data blocks 100-200 I should see all 'ca' }
3c) with pattern '97' { data blocks 100-200 should be all '97 }
{ If I go in with dd and check data blocks 100-200 I should see all '97' }
4) File is deleted (inode/dir entry zapped per typical *NIX behavior) {data blocks 100-200 deallocated }
{ If I go in with dd and check data blocks 100-200 I should see all '97' still, until the blocks are reused by another file }
Makes good sense, right? ;-)
PROBLEM:
I'm not seeing the behavior described above. Linux keeps "shifting" the data blocks around each time the file is written to. So using our hypothetical data block numbering, I see something like this occurring:
1) File is created. Inode allocated. Data blocks allocated, etc. Initial data is put into the file. {Data blocks 100 - 200 }
2) File is read/processed. (And is then no longer needed)
3) File is overwritten three times from beginning to end to overwrite the remnant data:
3a) with pattern '35'
{ data blocks 300-400 get written with all '35', not 100-200 }
{ If I go in with dd and check data blocks 100-200 I still see the original data }
3b) with pattern 'ca'
{ data blocks 500-600 get written with all 'ca', not 100-200 }
{ If I go in with dd and check data blocks 100-200 I still see the original data }
3c) with pattern '97' { data blocks 100-200 should be all '97 }
{ data blocks 700-800 get written with all '97', not 100-200 }
{ If I go in with dd and check data blocks 100-200 I still see the original data }
4) File is deleted (inode/dir entry zapped per typical *NIX behavior) {data blocks 100-200 deallocated }
{ If I go in with dd and check data blocks 100-200 I still see the original data until the data blocks are overwritten by another file }
So you can see my problem. I suspect it has something to do with the way Ext 2/3 preallocates blocks, and it's use of "block groups". But I have been unable to locate any good docs which clearly explain exactly what algorithm logic controls this, and how to either change it or work with it somehow for the overwrite process.
Can anyone shed any light into this? Am I heading in the right direction here? I'm not afraid to read any docs if you can point me to them. (Or if it can be explained simply and you're willing to type it out, that's great too!)
MORE INFO
As proof of concept, I wrote the simple script below. As you can see all it does is open a file, write a chunk of data to it (simulating the initial data write), and then repeats that process 25 times (simulating cycles of overwrites); each time it grabs the list of data blocks using debugfs and its "stat" command. And for my immediate purposes, the first 12 direct blocks are sufficient-- don't want to even think about indirect blocks until I get this behavior figured out.
Before I get to the tty dumps, I want to say THANK YOU to anyone who's read this post this far... and of course, thanks in advance to any help!!!
The pertinent info:
# uname -a
Linux vrh90 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686 athlon i386 GNU/Linux
# mount
/dev/hda2 on / type ext3 (rw)
none on /proc type proc (rw)
/dev/hda1 on /boot type ext3 (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
none on /dev/shm type tmpfs (rw)
//192.168.0.1/data1 on /mnt type smbfs (0)
----
for (( i=0;i<20;i=i+1 )); do
echo Pass $i
dd if=/dev/urandom of=/tmp/target1 bs=1 count=102400
debugfs /dev/hda2 -R "stat /tmp/target1" 2> /dev/null | tee -a /tmp/log
done
----
Here is the "log" file containing debugfs "stat /tmp/target1" for each cycle. (I can see a definate pattern on some of these in which blocks are used, but again I'm trying to figure out what the algorithm is that causes it):
----
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bae1 -- Thu Oct 7 17:53:37 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bae1 -- Thu Oct 7 17:53:37 2004
BLOCKS:
(0-11):453994-454005, (IND):454006, (12-13):454007-454008, (14-24):455201-455211
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bae5 -- Thu Oct 7 17:53:41 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bae5 -- Thu Oct 7 17:53:41 2004
BLOCKS:
(0-10):14775-14785, (11):14787, (IND):14788, (12-18):14789-14795, (19-24):14804-14809
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bae8 -- Thu Oct 7 17:53:44 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bae8 -- Thu Oct 7 17:53:44 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165baec -- Thu Oct 7 17:53:48 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165baec -- Thu Oct 7 17:53:48 2004
BLOCKS:
(0-7):8924-8931, (8):8933, (9-11):14775-14777, (IND):14778, (12-18):14779-14785, (19-24):14787-14792
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165baef -- Thu Oct 7 17:53:51 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165baef -- Thu Oct 7 17:53:51 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165baf2 -- Thu Oct 7 17:53:54 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165baf2 -- Thu Oct 7 17:53:54 2004
BLOCKS:
(0-10):14775-14785, (11):14787, (IND):14788, (12-18):14789-14795, (19-24):14804-14809
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165baf6 -- Thu Oct 7 17:53:58 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165baf6 -- Thu Oct 7 17:53:58 2004
BLOCKS:
(0-7):8924-8931, (8):8933, (9-11):14775-14777, (IND):14778, (12-18):14779-14785, (19-24):14787-14792
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165baf9 -- Thu Oct 7 17:54:01 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165baf9 -- Thu Oct 7 17:54:01 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bafc -- Thu Oct 7 17:54:04 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bafc -- Thu Oct 7 17:54:04 2004
BLOCKS:
(0-10):14775-14785, (11):14787, (IND):14788, (12-18):14789-14795, (19-24):14804-14809
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb00 -- Thu Oct 7 17:54:08 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb00 -- Thu Oct 7 17:54:08 2004
BLOCKS:
(0-7):8924-8931, (8):8933, (9-11):14775-14777, (IND):14778, (12-18):14779-14785, (19-24):14787-14792
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb03 -- Thu Oct 7 17:54:11 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb03 -- Thu Oct 7 17:54:11 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb07 -- Thu Oct 7 17:54:15 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb07 -- Thu Oct 7 17:54:15 2004
BLOCKS:
(0-10):14775-14785, (11):14787, (IND):14788, (12-18):14789-14795, (19-24):14804-14809
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb0a -- Thu Oct 7 17:54:18 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb0a -- Thu Oct 7 17:54:18 2004
BLOCKS:
(0-7):8924-8931, (8):8933, (9-11):14775-14777, (IND):14778, (12-18):14779-14785, (19-24):14787-14792
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb0d -- Thu Oct 7 17:54:21 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb0d -- Thu Oct 7 17:54:21 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb11 -- Thu Oct 7 17:54:25 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb11 -- Thu Oct 7 17:54:25 2004
BLOCKS:
(0-10):14775-14785, (11):14787, (IND):14788, (12-18):14789-14795, (19-24):14804-14809
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb14 -- Thu Oct 7 17:54:28 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb14 -- Thu Oct 7 17:54:28 2004
BLOCKS:
(0-7):8924-8931, (8):8933, (9-11):14775-14777, (IND):14778, (12-18):14779-14785, (19-24):14787-14792
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb17 -- Thu Oct 7 17:54:31 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb17 -- Thu Oct 7 17:54:31 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb1a -- Thu Oct 7 17:54:34 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb1a -- Thu Oct 7 17:54:34 2004
BLOCKS:
(0-10):14775-14785, (11):14787, (IND):14788, (12-18):14789-14795, (19-24):14804-14809
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb1e -- Thu Oct 7 17:54:38 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb1e -- Thu Oct 7 17:54:38 2004
BLOCKS:
(0-7):8924-8931, (8):8933, (9-11):14775-14777, (IND):14778, (12-18):14779-14785, (19-24):14787-14792
TOTAL: 26
Inode: 209219 Type: regular Mode: 0644 Flags: 0x0 Generation: 3550218717
User: 0 Group: 0 Size: 102400
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 208
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4165bb21 -- Thu Oct 7 17:54:41 2004
atime: 0x4165bade -- Thu Oct 7 17:53:34 2004
mtime: 0x4165bb21 -- Thu Oct 7 17:54:41 2004
BLOCKS:
(0-1):8887-8888, (2):8890, (3-8):8892-8897, (9-11):8900-8902, (IND):8903, (12-14):8904-8906, (15-24):8908-8917
TOTAL: 26
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ext3-users/attachments/20041008/42ebb980/attachment.htm>
More information about the Ext3-users
mailing list