ABSTRACT
Time Of Check To Time Of Use (TOCTTOU) race conditions for file accesses in user-space applications are a common problem in Unix-like systems. The mapping between filename and inode and device is volatile and can provide the necessary preconditions for an exploit. Applications use filenames as the primary attribute to identify files but the mapping between filenames and inode and device can be changed by an attacker.
DynaRace is an approach that protects unmodified applications from file-based TOCTTOU race conditions. DynaRace uses a transparent mapping cache that keeps additional state and metadata for each accessed file in the application. The combination of file state and the current system call type are used to decide if (i) the metadata is updated or (ii) the correctness of the metadata is enforced between consecutive system calls.
DynaRace uses user-mode path resolution internally to resolve individual file atoms. Each file atom is verified or updated according to the associated state in the mapping cache. More specifically, DynaRace protects against race conditions for all file-based system calls, by replacing the unsafe system calls with a set of safe system calls that utilize the mapping cache. The system call is executed only if the state transition is allowed and the information in the mapping cache matches.
DynaRace deterministically solves the problem of file-based race conditions for unmodified applications and removes an attacker's ability to exploit the TOCTTOU race condition. DynaRace detects injected alternate inode and device pairs and terminates the application.
- New system calls. https://lwn.net/Articles/164887/.Google Scholar
- openat syscall. http://linux.die.net/man/2/openat.Google Scholar
- Aggarwal, A., and Jalote, P. Monitoring the security health of software systems. In ISSRE'06: 17th Int'l Symp. Software Reliability Engineering (nov. 2006), pp. 146 --158. Google ScholarDigital Library
- Bishop, M. Checking for race conditions in file accesses. Tech. rep., University of California at Davis, 1995.Google Scholar
- Bishop, M., and Dilger, M. Checking for race conditions in file accesses. Journal for Computing Systems (1996), 131--152.Google Scholar
- Borisov, N., Johnson, R., Sastry, N., and Wagner, D. Fixing races for fun and profit: how to abuse atime. In 14th USENIX Security Symposium (2005), pp. 303--314. Google ScholarDigital Library
- Bruening, D., Duesterwald, E., and Amarasinghe, S. Design and implementation of a dynamic optimization framework for Windows. In ACM Workshop Feedback-directed Dyn. Opt. (FDDO-4) (2001).Google Scholar
- Bruening, D., Garnett, T., and Amarasinghe, S. An infrastructure for adaptive dynamic optimization. In CGO '03 (2003), pp. 265--275. Google ScholarDigital Library
- Chari, S., Halevi, S., and Venema, W. Where do you want to go today? escalating privileges by pathname manipulation. In NDSS (2010).Google Scholar
- Chen, H., and Wagner, D. MOPS: an infrastructure for examining security properties of software. In CCS'02: Proc. 9th ACM Conf. Computer and Communications Security (2002), pp. 235--244. Google ScholarDigital Library
- Chess, B. V. Improving computer security using extended static checking. In S&P'02: IEEE Symp. on Security and Privacy (2002). Google ScholarDigital Library
- Cowan, C., Beattie, S., Wright, C., and Kroah-hartman, G. RaceGuard: Kernel protection from temporary file race vulnerabilities. In Proc. 10th USENIX Security Symposium (2001), p. 12. Google ScholarDigital Library
- Dean, D., and Hu, A. J. Fixing races for fun and profit: how to use access(2). In Proc. 13th USENIX Security Symposium (2004), SSYM'04, pp. 14--14. Google ScholarDigital Library
- Ford, B., and Cox, R. Vx32: lightweight user-level sandboxing on the x86. In ATC'08: USENIX 2008 Annual Technical Conference (2008), pp. 293--306. Google ScholarDigital Library
- Goyal, B., Sitaraman, S., and Venkatesan, S. A unified approach to detect binding based race condition attacks. In CANS'03: Intl. Workshop on Cryptology & Network Security (2003).Google Scholar
- Joshi, A., King, S. T., Dunlap, G. W., and Chen, P. M. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP'05: Proc. 20th ACM Symposium on Operating Systems Principles (2005), pp. 91--104. Google ScholarDigital Library
- Kiriansky, V., Bruening, D., and Amarasinghe, S. P. Secure execution via program shepherding. In Proc. 11th USENIX Security Symposium (2002), pp. 191--206. Google ScholarDigital Library
- Ko, C., and Redmond, T. Noninterference and intrusion detection. In S&P'02: Proc. 2002 IEEE Symposium on Security and Privacy (2002), pp. 177--187. Google ScholarDigital Library
- Mazières, D., and Kaashoek, M. F. Secure applications need flexible operating systems. In HotOS'07: Workshop on Hot Topics in Operating Systems (1997), pp. 56--61. Google ScholarDigital Library
- Park, J., Lee, G., Lee, S., and Kim, D.-K. RPS: An extension of reference monitor to prevent race-attacks. In PCM'04: 5th Pacific Rim Conf. on Multimedia (2004), pp. 556--563. Google ScholarDigital Library
- Payer, M., and Gross, T. R. Fine-grained user-space security through virtualization. In VEE'11: Proc. 7th ACM SIGPLAN/SIGOPS Int'l conf. Virtual execution environments (2011), pp. 157--168. Google ScholarDigital Library
- Schmuck, F., and Wylie, J. Experience with transactions in quicksilver. In SOSP'09: Proc. 13th ACM Symposium on Operating Systems Principles (1991), pp. 239--253. Google ScholarDigital Library
- Schwarz, B., Chen, H., Wagner, D., Lin, J., Tu, W., Morrison, G., and West, J. Model checking an entire Linux distribution for security violations. In Proc 21st Computer Security Applications Conference (2005), pp. 13--22. Google ScholarDigital Library
- Scott, K., and Davidson, J. Strata: A software dynamic translation infrastructure. Tech. rep., University of Virginia, 2001. Google ScholarDigital Library
- Scott, K., and Davidson, J. Safe virtual execution using software dynamic translation. ACSAC'02: Annual Computer Security Applications Conference (2002), 209. Google ScholarDigital Library
- Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS'07: Proc. 14th ACM conf. Computer and Communications Security (Oct. 2007), S. De Capitani di Vimercati and P. Syverson, Eds., ACM Press, pp. 552--61. Google ScholarDigital Library
- Spillane, R. P., Gaikwad, S., Chinni, M., Zadok, E., and Wright, C. P. Enabling transactional file access via lightweight kernel extensions. In FAST'09: Proc. 7th conf. on File and storage technologies (2009), pp. 29--42. Google ScholarDigital Library
- suk Lhee, K., and Chapin, S. J. Detection of file-based race conditions. Int'l Journal Information Security 4, 1--2 (2005), 105--119.Google ScholarDigital Library
- Tsafrir, D., Hertz, T., Wagner, D., and Da Silva, D. Portably solving file TOCTTOU races with hardness amplification. In FAST'08: Proc. 6th USENIX Conf. on File and Storage Technologies (2008), pp. 13:1--13:18. Google ScholarDigital Library
- Tsafrir, D., Hertz, T., Wagner, D., and Da Silva, D. Portably preventing file race attacks with user-mode path resolution. Tech. Rep. RC24572, IBM T. J. Watson Research Center, June 2008.Google Scholar
- Tsyrklevich, E., and Yee, B. Dynamic detection and prevention of race conditions in file accesses. In Proc. 12th USENIX Security Symposium (2003), pp. 243--255. Google ScholarDigital Library
- Uppuluri, P., Joshi, U., and Ray, A. Preventing race condition attacks on file-systems. In SAC'05: Proc. ACM Symposium on Applied computing (2005), SAC '05, pp. 346--353. Google ScholarDigital Library
- Viega, J., Bloch, J., Kohno, T., and McGraw, G. ITS4: a static vulnerability scanner for C and C+ code. In ACSAC'00: Ann. Comput. Security Applications Conf. (2000). Google ScholarDigital Library
- vladz. Xorg file permission change vulnerability (CVE-2011--4029). http://vladz.devzero.fr/Xorg-CVE-2011--4029.txt.Google Scholar
- Wei, J., and Pu, C. TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study. In FAST'05: Proc. 4th conf. USENIX Conf. File and Storage Technologies (2005), pp. 12--12. Google ScholarDigital Library
- Wei, J., and Pu, C. A methodical defense against TOCTTOU attacks: the EDGI approach. In ISSSE'06: IEEE Int'l Symp. on Secure Software Engineering (2006).Google Scholar
- Wright, C. P., Spillane, R., Sivathanu, G., and Zadok, E. Extending ACID semantics to the file system. Trans. Storage 3 (June 2007). Google ScholarDigital Library
Recommendations
Protecting applications against TOCTTOU races by user-space caching of file metadata
VEE '12Time Of Check To Time Of Use (TOCTTOU) race conditions for file accesses in user-space applications are a common problem in Unix-like systems. The mapping between filename and inode and device is volatile and can provide the necessary preconditions for ...
Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems
TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file ...
Concurrent file metadata structure using readers-writer lock
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingLinux file systems serialize threads when writing shared files. Recent studies have attempted to adopt range locks on shared files to solve this serialization problem, allowing file I/O to be executed concurrently. However, we have found that even with ...
Comments