Check out the new USENIX Web site. next up previous
Next: Flash Memory Up: Storage and Payload Hiding Previous: Storage and Payload Hiding

Preferences and Databases

In the Palm OS API, Preferences and Data Manager functions offer several avenues for data storage. System and application preferences are accessible via the Pref{Get,Set}Preferences and Pref{Get,Set}AppPreferences function calls. Similarly, any system or application database can be attached to and used to store malicious content. DmOpenDatabase, DmWrite, DmResizeRecord, and DmSetDatabaseInfo are all common database manipulation functions that, due to the lack of protection and ownership of individual records, become conduits for attachment.

Unused fields in records are commonly used as covert channels. Databases on the Palm OS device are no exception. For example, the Application and Sort Info Blocks are optional fields in each database that can be used to store application-specific information. Common data stored in this block includes category names or database version numbers. However, it is not necessary for this field to be populated and often times it is not. Traversing the existing database records on the device and checking the appInfoID or sortInfoID parameter for a null pointer will yield a location for the attacker to store the handle (pointer to a location) of their payload. This would not affect the legitimate application's usage in any way.
next up previous
Next: Flash Memory Up: Storage and Payload Hiding Previous: Storage and Payload Hiding
Kingpin
2001-05-09