Minister promises that Part III is coming

Igor Mozolevsky ukcrypto at chiark.greenend.org.uk
Sat, 13 May 2006 11:26:59 +0100 

--Apple-Mail-1--442388305
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed


On 13 May 2006, at 09:52, Ian Brown wrote:

> Could you be sure your worm would at no point be swapped to disk by  
> the
> OS, leaving evidence in the swapfile?

Sure - all you need is a loader that fits into one page. Have the  
loader allocate locked memory, load the worm into the locked memory  
and exec it, passing the address of the page that the loader was  
using. Then have the worm write any noise to the page that the loader  
was using and force a swapout for that page. Voila!

The only difficulty with this method is having to conceal the actual  
worm so that if the loader is ever disassembled, you still won't be  
able to find the actual worm... This might be difficult but I don't  
think it's impossible.
--Apple-Mail-1--442388305
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><BR><DIV><DIV>On 13 May 2006, at =
09:52, Ian Brown wrote:</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><BLOCKQUOTE type=3D"cite"> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Monaco" size=3D"2"=
 style=3D"font: 10.0px Monaco">Could you be sure your worm would at no =
point be swapped to disk by the</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Monaco" size=3D"2" style=3D"font: =
10.0px Monaco">OS, leaving evidence in the swapfile?</FONT></P> =
</BLOCKQUOTE></DIV><BR><DIV>Sure - all you need is a loader that fits =
into one page. Have the loader allocate locked memory, load the worm =
into the locked memory and exec it, passing the address of the page that =
the loader was using. Then have the worm write any noise to the page =
that the loader was using and force a swapout for that page. =
Voila!</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>The =
only difficulty with this method is having to=A0conceal=A0the actual =
worm so that if the loader is ever disassembled, you still won't be able =
to find the actual worm... This might be difficult but I don't think =
it's impossible.</DIV></BODY></HTML>=

--Apple-Mail-1--442388305--