More Web Proxy on the site http://driver.im/

research-article

Protecting applications against TOCTTOU races by user-space caching of file metadata

Authors:

Thomas R. GrossAuthors Info & Claims

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

Pages 215 - 226

https://doi.org/10.1145/2151024.2151052

Published: 03 March 2012 Publication History

Abstract

Time Of Check To Time Of Use (TOCTTOU) race conditions for file accesses in user-space applications are a common problem in Unix-like systems. The mapping between filename and inode and device is volatile and can provide the necessary preconditions for an exploit. Applications use filenames as the primary attribute to identify files but the mapping between filenames and inode and device can be changed by an attacker.

DynaRace is an approach that protects unmodified applications from file-based TOCTTOU race conditions. DynaRace uses a transparent mapping cache that keeps additional state and metadata for each accessed file in the application. The combination of file state and the current system call type are used to decide if (i) the metadata is updated or (ii) the correctness of the metadata is enforced between consecutive system calls.

DynaRace uses user-mode path resolution internally to resolve individual file atoms. Each file atom is verified or updated according to the associated state in the mapping cache. More specifically, DynaRace protects against race conditions for all file-based system calls, by replacing the unsafe system calls with a set of safe system calls that utilize the mapping cache. The system call is executed only if the state transition is allowed and the information in the mapping cache matches.

DynaRace deterministically solves the problem of file-based race conditions for unmodified applications and removes an attacker's ability to exploit the TOCTTOU race condition. DynaRace detects injected alternate inode and device pairs and terminates the application.

References

[1]

New system calls. https://lwn.net/Articles/164887/.

[2]

openat syscall. http://linux.die.net/man/2/openat.

[3]

Aggarwal, A., and Jalote, P. Monitoring the security health of software systems. In ISSRE'06: 17th Int'l Symp. Software Reliability Engineering (nov. 2006), pp. 146 --158.

Digital Library

[4]

Bishop, M. Checking for race conditions in file accesses. Tech. rep., University of California at Davis, 1995.

[5]

Bishop, M., and Dilger, M. Checking for race conditions in file accesses. Journal for Computing Systems (1996), 131--152.

[6]

Borisov, N., Johnson, R., Sastry, N., and Wagner, D. Fixing races for fun and profit: how to abuse atime. In 14th USENIX Security Symposium (2005), pp. 303--314.

Digital Library

[7]

Bruening, D., Duesterwald, E., and Amarasinghe, S. Design and implementation of a dynamic optimization framework for Windows. In ACM Workshop Feedback-directed Dyn. Opt. (FDDO-4) (2001).

[8]

Bruening, D., Garnett, T., and Amarasinghe, S. An infrastructure for adaptive dynamic optimization. In CGO '03 (2003), pp. 265--275.

Digital Library

[9]

Chari, S., Halevi, S., and Venema, W. Where do you want to go today? escalating privileges by pathname manipulation. In NDSS (2010).

[10]

Chen, H., and Wagner, D. MOPS: an infrastructure for examining security properties of software. In CCS'02: Proc. 9th ACM Conf. Computer and Communications Security (2002), pp. 235--244.

Digital Library

[11]

Chess, B. V. Improving computer security using extended static checking. In S&P'02: IEEE Symp. on Security and Privacy (2002).

Digital Library

[12]

Cowan, C., Beattie, S., Wright, C., and Kroah-hartman, G. RaceGuard: Kernel protection from temporary file race vulnerabilities. In Proc. 10th USENIX Security Symposium (2001), p. 12.

Digital Library

[13]

Dean, D., and Hu, A. J. Fixing races for fun and profit: how to use access(2). In Proc. 13th USENIX Security Symposium (2004), SSYM'04, pp. 14--14.

Digital Library

[14]

Ford, B., and Cox, R. Vx32: lightweight user-level sandboxing on the x86. In ATC'08: USENIX 2008 Annual Technical Conference (2008), pp. 293--306.

Digital Library

[15]

Goyal, B., Sitaraman, S., and Venkatesan, S. A unified approach to detect binding based race condition attacks. In CANS'03: Intl. Workshop on Cryptology & Network Security (2003).

[16]

Joshi, A., King, S. T., Dunlap, G. W., and Chen, P. M. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP'05: Proc. 20th ACM Symposium on Operating Systems Principles (2005), pp. 91--104.

Digital Library

[17]

Kiriansky, V., Bruening, D., and Amarasinghe, S. P. Secure execution via program shepherding. In Proc. 11th USENIX Security Symposium (2002), pp. 191--206.

Digital Library

[18]

Ko, C., and Redmond, T. Noninterference and intrusion detection. In S&P'02: Proc. 2002 IEEE Symposium on Security and Privacy (2002), pp. 177--187.

Digital Library

[19]

Mazières, D., and Kaashoek, M. F. Secure applications need flexible operating systems. In HotOS'07: Workshop on Hot Topics in Operating Systems (1997), pp. 56--61.

Digital Library

[20]

Park, J., Lee, G., Lee, S., and Kim, D.-K. RPS: An extension of reference monitor to prevent race-attacks. In PCM'04: 5th Pacific Rim Conf. on Multimedia (2004), pp. 556--563.

Digital Library

[21]

Payer, M., and Gross, T. R. Fine-grained user-space security through virtualization. In VEE'11: Proc. 7th ACM SIGPLAN/SIGOPS Int'l conf. Virtual execution environments (2011), pp. 157--168.

Digital Library

[22]

Schmuck, F., and Wylie, J. Experience with transactions in quicksilver. In SOSP'09: Proc. 13th ACM Symposium on Operating Systems Principles (1991), pp. 239--253.

Digital Library

[23]

Schwarz, B., Chen, H., Wagner, D., Lin, J., Tu, W., Morrison, G., and West, J. Model checking an entire Linux distribution for security violations. In Proc 21st Computer Security Applications Conference (2005), pp. 13--22.

Digital Library

[24]

Scott, K., and Davidson, J. Strata: A software dynamic translation infrastructure. Tech. rep., University of Virginia, 2001.

Digital Library

[25]

Scott, K., and Davidson, J. Safe virtual execution using software dynamic translation. ACSAC'02: Annual Computer Security Applications Conference (2002), 209.

Digital Library

[26]

Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS'07: Proc. 14th ACM conf. Computer and Communications Security (Oct. 2007), S. De Capitani di Vimercati and P. Syverson, Eds., ACM Press, pp. 552--61.

Digital Library

[27]

Spillane, R. P., Gaikwad, S., Chinni, M., Zadok, E., and Wright, C. P. Enabling transactional file access via lightweight kernel extensions. In FAST'09: Proc. 7th conf. on File and storage technologies (2009), pp. 29--42.

Digital Library

[28]

suk Lhee, K., and Chapin, S. J. Detection of file-based race conditions. Int'l Journal Information Security 4, 1--2 (2005), 105--119.

Digital Library

[29]

Tsafrir, D., Hertz, T., Wagner, D., and Da Silva, D. Portably solving file TOCTTOU races with hardness amplification. In FAST'08: Proc. 6th USENIX Conf. on File and Storage Technologies (2008), pp. 13:1--13:18.

Digital Library

[30]

Tsafrir, D., Hertz, T., Wagner, D., and Da Silva, D. Portably preventing file race attacks with user-mode path resolution. Tech. Rep. RC24572, IBM T. J. Watson Research Center, June 2008.

[31]

Tsyrklevich, E., and Yee, B. Dynamic detection and prevention of race conditions in file accesses. In Proc. 12th USENIX Security Symposium (2003), pp. 243--255.

Digital Library

[32]

Uppuluri, P., Joshi, U., and Ray, A. Preventing race condition attacks on file-systems. In SAC'05: Proc. ACM Symposium on Applied computing (2005), SAC '05, pp. 346--353.

Digital Library

[33]

Viega, J., Bloch, J., Kohno, T., and McGraw, G. ITS4: a static vulnerability scanner for C and C+ code. In ACSAC'00: Ann. Comput. Security Applications Conf. (2000).

Digital Library

[34]

vladz. Xorg file permission change vulnerability (CVE-2011--4029). http://vladz.devzero.fr/Xorg-CVE-2011--4029.txt.

[35]

Wei, J., and Pu, C. TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study. In FAST'05: Proc. 4th conf. USENIX Conf. File and Storage Technologies (2005), pp. 12--12.

Digital Library

[36]

Wei, J., and Pu, C. A methodical defense against TOCTTOU attacks: the EDGI approach. In ISSSE'06: IEEE Int'l Symp. on Secure Software Engineering (2006).

[37]

Wright, C. P., Spillane, R., Sivathanu, G., and Zadok, E. Extending ACID semantics to the file system. Trans. Storage 3 (June 2007).

Digital Library

Cited By

Basu ASampson JQian ZJaeger TNaor DGoel A(2023)Unsafe at any copyProceedings of the 21st USENIX Conference on File and Storage Technologies10.5555/3585938.3585950(183-197)Online publication date: 21-Feb-2023
https://dl.acm.org/doi/10.5555/3585938.3585950
Raducu RRodriguez RAlvarez P(2022)Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic ReviewIEEE Access10.1109/ACCESS.2022.315306410(21742-21758)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3153064
Schwarz MGruss DLipp MMaurice CSchuster TFogh AMangard SKim JAhn GKim SKim YLopez JKim T(2018)Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU FeaturesProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196508(587-600)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196508
Show More Cited By

Recommendations

Protecting applications against TOCTTOU races by user-space caching of file metadata
VEE '12

Time Of Check To Time Of Use (TOCTTOU) race conditions for file accesses in user-space applications are a common problem in Unix-like systems. The mapping between filename and inode and device is volatile and can provide the necessary preconditions for ...
Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems

TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file ...
VUOS: A User-Space Hypervisor Based on System Call Hijacking
Computer Safety, Reliability, and Security. SAFECOMP 2024 Workshops
Abstract
VUOS (View based OS) is a virtual operating system that permits to give to each process a different view of the underlying system, i.e. access only some specific directories or specified system calls. This is currently obtained intercepting system ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments

March 2012

248 pages

ISBN:9781450311762

DOI:10.1145/2151024

General Chair:
Steven Hand
University of Cambridge, UK
,
Program Chair:
Dilma da Silva
IBM T. J. Watson Research Center, USA

ACM SIGPLAN Notices Volume 47, Issue 7
VEE '12
July 2012
229 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2365864
Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

VEE '12

Sponsor:

VEE '12: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

March 3 - 4, 2012

London, England, UK

Acceptance Rates

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
290
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Basu ASampson JQian ZJaeger TNaor DGoel A(2023)Unsafe at any copyProceedings of the 21st USENIX Conference on File and Storage Technologies10.5555/3585938.3585950(183-197)Online publication date: 21-Feb-2023
https://dl.acm.org/doi/10.5555/3585938.3585950
Raducu RRodriguez RAlvarez P(2022)Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic ReviewIEEE Access10.1109/ACCESS.2022.315306410(21742-21758)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3153064
Schwarz MGruss DLipp MMaurice CSchuster TFogh AMangard SKim JAhn GKim SKim YLopez JKim T(2018)Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU FeaturesProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196508(587-600)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196508
Shi BLi BCui LOuyang L(2018)Vanguard: A Cache-Level Sensitive File Integrity Monitoring System in Virtual Machine EnvironmentIEEE Access10.1109/ACCESS.2018.28511926(38567-38577)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2851192
Lu KWang PLi GZhou X(2018)Untrusted Hardware Causes Double-Fetch Problems in the I/O MemoryJournal of Computer Science and Technology10.1007/s11390-018-1842-333:3(587-602)Online publication date: 11-May-2018
https://doi.org/10.1007/s11390-018-1842-3
Wang FJoung YMickens J(2017)CobwebProceedings of the 2nd Workshop on System Software for Trusted Execution10.1145/3152701.3152705(1-7)Online publication date: 28-Oct-2017
https://dl.acm.org/doi/10.1145/3152701.3152705
Yu TZaman TWang CBodden ESchäfer WDeursen AZisman A(2017)DESCRY: reproducing system-level concurrency failuresProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3106266(694-704)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3106266
Yu T(2017)SimEvo: Testing Evolving Multi-process Software Systems2017 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME.2017.29(204-215)Online publication date: Sep-2017
https://doi.org/10.1109/ICSME.2017.29
Rattanasuksun SYu TSrisa-An WRothermel G(2016)RRF: A Race Reproduction Framework for Use in Debugging Process-Level Races2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE.2016.35(162-172)Online publication date: Oct-2016
https://doi.org/10.1109/ISSRE.2016.35
Vijayakumar HGe XPayer MJaeger TFu K(2014)JIGSAWProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671287(973-988)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671287
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents