Dan Tsafrir
Tomer Hertz
Abstract
The file-system API of contemporary systems makes programs vulnerable to TOCTTOU (time-of-check-to-time-of-use) race conditions. Existing solutions either help users to detect these problems (by pinpointing their locations in the code), or prevent the problem altogether (by modifying the kernel or its API). But the latter alternative is not prevalent, and the former is just the first step: Programmers must still address TOCTTOU flaws within the limits of the existing API with which several important tasks cannot be accomplished in a portable straightforward manner. Recently, Dean and Hu [2004] addressed this problem and suggested a probabilistic hardness amplification approach that alleviated the matter. Alas, shortly after, Borisov et al. [2005] responded with an attack termed “filesystem maze” that defeated the new approach.
We begin by noting that mazes constitute a generic way to deterministically win many TOCTTOU races (gone are the days when the probability was small). In the face of this threat, we: (1) develop a new user-level defense that can withstand mazes; and (2) show that our method is undefeated even by much stronger hypothetical attacks that provide the adversary program with ideal conditions to win the race (enjoying complete and instantaneous knowledge about the defending program's actions and being able to perfectly synchronize accordingly). The fact that our approach is immune to these unrealistic attacks suggests it can be used as a simple and portable solution to a large class of TOCTTOU vulnerabilities, without requiring modifications to the underlying operating system.
- Aggarwal, A. and Jalote, P. 2006. Monitoring the security health of software systems. In Proceedings of the 17th IEEE International Symposium on Software Reliability Engineering (ISSRE), 146--158. Google Scholar
Digital Library
- Ashcraft, K. and Engler, D. 2002. Using programmer-written compiler extensions to catch security holes. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 143--159. Google ScholarDigital Library
- Bishop, M. 1995. Race conditions, files, and security flaws; or the tortoise and the hare Redux. Tech. Rep. CSE-95-8, University of California at Davis. September.Google Scholar
- Bishop, M. and Dilger, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 9, 2 (Spring), 131--152.Google Scholar
- Borisov, N., Johnson, R., Sastry, N., and Wagner, D. 2005. Fixing races for fun and profit: How to abuse atime. In Proceedings of the 14th USENIX Security Symposium, 303--314. Google ScholarDigital Library
- Boulet, D. 2002. UNIX domain sockets. http://everything2.com/index.pl?node_id=955968. (Accessed Sept. 2007).Google Scholar
- CERT Coordination Center. 1993. CERT advisory CA-1993-17 xterm logging vulnerability. URL http://www.cert.org/advisories/CA-1993-17.html. (Accessed Jun. 2007).Google Scholar
- Chen, H. and Wagner, D. 2002. MOPS: An infrastructure for examining security properties of software. In Proceedings of the ACM Conference on Computer Communications Security (CCS), 235--244. Google ScholarDigital Library
- Chen, H., Wagner, D., and Dean, D. 2002. Setuid demystified. In Proceedings of the 11th USENIX Security Symposium, 171--190. Google ScholarDigital Library
- Chess, B. 2002. Improving computer security using extended static checking. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 160. Google ScholarDigital Library
- Cowan, C., Beattie, S., Wright, C., and Kroah-Hartman, G. 2001. RaceGuard: Kernel protection from temporary file race vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, 165--172. Google ScholarDigital Library
- Dean, D. and Hu, A. J. 2004. Fixing races for fun and profit: How to use access(2). In Proceedings of the 13th USENIX Security Symposium, 195--206. Google ScholarDigital Library
- Engler, D. and Ashcraft, K. 2003. RacerX: Effective, static detection of race conditions and deadlocks. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), 237--252. Google ScholarDigital Library
- Engler, D., Chen, D. Y., Hallem, S., Chou, A., and Chelf, B. 2001. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP), 57--72. Google ScholarDigital Library
- Engler, D., Chelf, B., Chou, A., and Hallem, S. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the 4th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 1--16. Google ScholarDigital Library
- Goyal, B., Sitaraman, S., and Venkatesan, S. 2003. A unified approach to detect binding based race condition attacks. 3rd International Workshop on Cryptology and Network Security (CANS).Google Scholar
- Hu, A. J. 2005. On-Line publication list. http://www.cs.ubc.ca/spider/ajh/pub-list.html. (Accessed Jan. 2008).Google Scholar
- Josey, A. 2006. The open group new API set proposals. http://www.opengroup.org/austin/plato/uploads/40/9756/NAPI_overview.txt. (Accessed Dec. 2007).Google Scholar
- Joshi, A., King, S. T., Dunlap, G. W., and Chen, P. M. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), 91--104. Google ScholarDigital Library
- Ko, C. and Redmond, T. 2002. Noninterference and intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 177--187. Google ScholarDigital Library
- Lhee, K.-S. and Chapin, S. J. 2005. Detection of file-based race conditions. Int. J. Inf. Secur. 4, 1-2 (Feb.).Google ScholarDigital Library
- Man access(2). 2001. The FreeBSD system calls manual. http://www.freebsd.org/cgi/man.cgi?query=access. (Accessed Jan. 2008).Google Scholar
- Man openat(2). 2006. Linux programmer's manual. http://www.kernel.org/doc/man-pages/online/pages/man2/openat.2.html. (Accessed Jan. 2008).Google Scholar
- Maziéres, D. and Kaashoek, F. 1997. Secure applications need flexible operating systems. In Proceedings of the 6th IEEE Workshop on Hot Topics in Operating Systems (HOTOS), 56--61. Google ScholarDigital Library
- McPhee, W. S. 1974. Operating system integrity in OS/VS2. IBM Syst. J. 13, 3, 230--252. http://www.research.ibm.com/journal/sj/133/ibmsj1303D.pdf.Google ScholarDigital Library
- NVD. 2008. National vulnerability database. http://nvd.nist.gov/. (Accessed Jan. 2008).Google Scholar
- Park, J., Lee, G., Lee, S., and Kim, D.-K. 2004. RPS: An extension of reference monitor to prevent race-attacks. In Proceedings of the 5th Advances in Multimedia Information Processing Conference (PCM). Lecture Notes in Computer Science, vol. 3331. Springer, 556--563. Google ScholarDigital Library
- Pu, C. and Wei, J. 2006. A methodical defense against TOCTTOU attacks: The EDGI approach. In Proceedings of the 1st IEEE International Symposium on Secure Software Engineering (ISSSE).Google Scholar
- Schmuck, F. and Wylie, J. 1991. Experience with transactions in QuickSilver. In Proceedings of the 13th ACM Symposium on Operating Systems Principles (SOSP), 239--253. Google ScholarDigital Library
- Schwarz, B., Chen, H., Wagner, D., Lin, J., Tu, W., Morrison, G., and West, J. 2005. Model checking an entire Linux distribution for security violations. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), IEEE, 13--22. Google ScholarDigital Library
- Sirainen, T. 2002--2004. fdpass.c—File descriptor passing between processes via UNIX sockets. http://code.softwarefreedom.org/projects/backports/browser/external/standalone/dovecot/current/src/lib/fdpass.c. (Accessed Dec. 2007).Google Scholar
- Stevens, W. R. and Fenner, B. 2003. UNIX Network Programming Volume 1: The Sockets Networking API, 3rd ed. Addison Wesley, Section 15.7. Google ScholarDigital Library
- Stevens, W. R., Thomas, M., Nordmark, E., and Jinmei, T. 2003. RFC 3542—Advanced sockets application program interface (API) for IPv6. http://www.faqs.org/rfcs/rfc3542.html. (Accessed Dec. 2007). Google ScholarDigital Library
- Tsafrir, D., Da Silva, D., and Wagner, D. 2008a. The murky issue of changing process identity: Revising “setuid demystified”. USENIX ;login 33, 3 (Jun.), 55--66.Google Scholar
- Tsafrir, D., Hertz, T., Wagner, D., and Da-Silva, D. 2008b. Portably preventing file race attacks with user-mode path resolution. Tech. Rep. RC24572, IBM T. J. Watson Research Center, Yorktown Heights, New York.Google Scholar
- Tsyrklevich, E. and Yee, B. 2003. Dynamic detection and prevention of race conditions in file accesses. In Proceedings of the 12th USENIX Security Symposium, 243--256. Google ScholarDigital Library
- Uppuluri, P., Joshi, U., and Ray, A. 2005. Preventing race condition attacks on file-systems. In Proceedings of the 20th ACM Symposium on Applied Computing (SAC), 346--353. Google ScholarDigital Library
- US-CERT. 2005. United States computer emergency readiness team: Vulnerability notes database. http://www.kb.cert.org/vuls. (Accessed Jan. 2008).Google Scholar
- Viega, J., Bloch, J., Kohno, Y., and McGraw, G. 2000. ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), IEEE, 257--267. Google ScholarDigital Library
- Wei, J. and Pu, C. 2007. Multiprocessors may reduce system dependability under file-based race condition attacks. In Proceedings of the 37th IEEE/IFIP Annual International Conference on Dependable Systems and Networks (DSN). Google ScholarDigital Library
- Wei, J. and Pu, C. 2005. TOCTTOU vulnerabilities in UNIX-style file systems: An anatomical study. In Proceedings of the 4th USENIX Conference on File and Storage Technologies (FAST), 155--167. Google ScholarDigital Library
- Wright, C. P., Spillane, R., Sivathanu, G., and Zadok, E. 2007. Extending ACID semantics to the file system. ACM Trans. Storage 3, 2 (Jun.), 4. Google ScholarDigital Library
- Yao, A. C. 1982. Theory and applications of trapdoor functions. In Proceedings of the 23th IEEE Symposium on Foundations of Computer Science (FOCS), 80--91. Google ScholarCross Ref
- Zeilenga, K., Chu, H., and Masarati, P. 2000--2007. libraries/libutil/getpeereuid.c. OpenLDAP source code. http://www.openldap.org/devel/cvsweb.cgi. (Accessed Dec. 2007).Google Scholar
Index Terms
- Portably solving file races with hardness amplification
Recommendations
Portably solving file TOCTTOU races with hardness amplification
FAST'08: Proceedings of the 6th USENIX Conference on File and Storage TechnologiesThe file-system API of contemporary systems makes programs vulnerable to TOCTTOU (time of check to time of use) race conditions. Existing solutions either help users to detect these problems (by pinpointing their locations in the code), or prevent the ...
Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems
TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file ...
Holographic vulnerability studies: vulnerabilities as fractures in interpretation as information flows across abstraction boundaries
NSPW '12: Proceedings of the 2012 New Security Paradigms WorkshopWe are always patching our systems against specific nstances of whatever the latest new, hot, trendy vulnerability type is. First it was time-of-check-to-time-of-use, then buffer overflows, then SQL injection, then cross-site scripting. Vulnerability ...
Comments