On Sat, Jan 6, 2018 at 5:38 PM, Philipp Marek <philipp@xxxxxxxxxxxxx> wrote: > I think we are possibly interested in switching to DIRECT IO (given that it >> bypasses any caching system including page cache) when reading *.PEM file >> > Sorry, but this makes no sense. > The data could just as well be read from the SSH process > memory space. > I think that's actually not true. SSH process's stack and heap aren't mapped/stored into the kernel space mapped in all user space programs, so how come a malicious program running in victim's system could have access to stack/heap memory of SSH process which is only mapped in its address space? Please correct me if I'm wrong. > > Direct IO has some additional complexity; this may well > be avoided. > Actually, it's only about adding a flag to open and making sure IO is DMA aligned. > > > It makes *zero* sense to panic now and start "hardening" > [which direct IO wouldn't even be!] individual programs - > if separate memory spaces are not available, > "all hope is lost". > I agree with this sentiment though, better to think it through and come up with informed decisions, but I think this is possibly a direction worth considering. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev