CSE 451

Operating Systems

Spring 1998


Quiz #7 : Solution 

The basic idea is to somehow find out during each openfile() call at which position the password check failed. We can use that information to reduce the number of tries to hack the password from 256^8 to 256*8.

Let P1, P2, ... P9 be 9 consecutive pages in the data segment of the hacking program. Initially all the pages would be in disk. Register a callout function which simply sets a boolean variable saying that a pagefault occured. Write the first ASCII character to the last byte in P1. Call the openfile() system call with the password string starting from the last byte of P1. If the last byte contained the correct first password character, then there would be a pagefault because the system would try to access the second character of the password  which is in P2 and has to be brought from disk using a pagefault. If the first byte contained the wrong character, then there would be no pagefault because the system would stop after comparing the first character.

When the openfile() system call returns, we will know whether a pagefault occured, by looking at the boolean set by the callout function. This way we can figure out whether the first byte is correct. If it is not, change the last byte of P1 and repeat the call. We will be able to figure out the correct password in at most 256 tries. After  this, P2 would be in memory because of the page fault. Write the correct first byte and the first ASCII character to the last two bytes of P2. Repeat the above procedure again to find out the second character.

Do the above 8 times to find the correct password in atmost 8*256 openfile() system calls.

Note: Here we assumed that the TELNEX does no prefetching. Also, remember to take care of the case when you open the file before going through the procedure 8 times, because the random bits in the next page happen to contain the correct password.