[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2151024.2151052acmconferencesArticle/Chapter ViewAbstractPublication PagesveeConference Proceedingsconference-collections
research-article

Protecting applications against TOCTTOU races by user-space caching of file metadata

Published: 03 March 2012 Publication History

Abstract

Time Of Check To Time Of Use (TOCTTOU) race conditions for file accesses in user-space applications are a common problem in Unix-like systems. The mapping between filename and inode and device is volatile and can provide the necessary preconditions for an exploit. Applications use filenames as the primary attribute to identify files but the mapping between filenames and inode and device can be changed by an attacker.
DynaRace is an approach that protects unmodified applications from file-based TOCTTOU race conditions. DynaRace uses a transparent mapping cache that keeps additional state and metadata for each accessed file in the application. The combination of file state and the current system call type are used to decide if (i) the metadata is updated or (ii) the correctness of the metadata is enforced between consecutive system calls.
DynaRace uses user-mode path resolution internally to resolve individual file atoms. Each file atom is verified or updated according to the associated state in the mapping cache. More specifically, DynaRace protects against race conditions for all file-based system calls, by replacing the unsafe system calls with a set of safe system calls that utilize the mapping cache. The system call is executed only if the state transition is allowed and the information in the mapping cache matches.
DynaRace deterministically solves the problem of file-based race conditions for unmodified applications and removes an attacker's ability to exploit the TOCTTOU race condition. DynaRace detects injected alternate inode and device pairs and terminates the application.

References

[1]
New system calls. https://lwn.net/Articles/164887/.
[2]
openat syscall. http://linux.die.net/man/2/openat.
[3]
Aggarwal, A., and Jalote, P. Monitoring the security health of software systems. In ISSRE'06: 17th Int'l Symp. Software Reliability Engineering (nov. 2006), pp. 146 --158.
[4]
Bishop, M. Checking for race conditions in file accesses. Tech. rep., University of California at Davis, 1995.
[5]
Bishop, M., and Dilger, M. Checking for race conditions in file accesses. Journal for Computing Systems (1996), 131--152.
[6]
Borisov, N., Johnson, R., Sastry, N., and Wagner, D. Fixing races for fun and profit: how to abuse atime. In 14th USENIX Security Symposium (2005), pp. 303--314.
[7]
Bruening, D., Duesterwald, E., and Amarasinghe, S. Design and implementation of a dynamic optimization framework for Windows. In ACM Workshop Feedback-directed Dyn. Opt. (FDDO-4) (2001).
[8]
Bruening, D., Garnett, T., and Amarasinghe, S. An infrastructure for adaptive dynamic optimization. In CGO '03 (2003), pp. 265--275.
[9]
Chari, S., Halevi, S., and Venema, W. Where do you want to go today? escalating privileges by pathname manipulation. In NDSS (2010).
[10]
Chen, H., and Wagner, D. MOPS: an infrastructure for examining security properties of software. In CCS'02: Proc. 9th ACM Conf. Computer and Communications Security (2002), pp. 235--244.
[11]
Chess, B. V. Improving computer security using extended static checking. In S&P'02: IEEE Symp. on Security and Privacy (2002).
[12]
Cowan, C., Beattie, S., Wright, C., and Kroah-hartman, G. RaceGuard: Kernel protection from temporary file race vulnerabilities. In Proc. 10th USENIX Security Symposium (2001), p. 12.
[13]
Dean, D., and Hu, A. J. Fixing races for fun and profit: how to use access(2). In Proc. 13th USENIX Security Symposium (2004), SSYM'04, pp. 14--14.
[14]
Ford, B., and Cox, R. Vx32: lightweight user-level sandboxing on the x86. In ATC'08: USENIX 2008 Annual Technical Conference (2008), pp. 293--306.
[15]
Goyal, B., Sitaraman, S., and Venkatesan, S. A unified approach to detect binding based race condition attacks. In CANS'03: Intl. Workshop on Cryptology & Network Security (2003).
[16]
Joshi, A., King, S. T., Dunlap, G. W., and Chen, P. M. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP'05: Proc. 20th ACM Symposium on Operating Systems Principles (2005), pp. 91--104.
[17]
Kiriansky, V., Bruening, D., and Amarasinghe, S. P. Secure execution via program shepherding. In Proc. 11th USENIX Security Symposium (2002), pp. 191--206.
[18]
Ko, C., and Redmond, T. Noninterference and intrusion detection. In S&P'02: Proc. 2002 IEEE Symposium on Security and Privacy (2002), pp. 177--187.
[19]
Mazières, D., and Kaashoek, M. F. Secure applications need flexible operating systems. In HotOS'07: Workshop on Hot Topics in Operating Systems (1997), pp. 56--61.
[20]
Park, J., Lee, G., Lee, S., and Kim, D.-K. RPS: An extension of reference monitor to prevent race-attacks. In PCM'04: 5th Pacific Rim Conf. on Multimedia (2004), pp. 556--563.
[21]
Payer, M., and Gross, T. R. Fine-grained user-space security through virtualization. In VEE'11: Proc. 7th ACM SIGPLAN/SIGOPS Int'l conf. Virtual execution environments (2011), pp. 157--168.
[22]
Schmuck, F., and Wylie, J. Experience with transactions in quicksilver. In SOSP'09: Proc. 13th ACM Symposium on Operating Systems Principles (1991), pp. 239--253.
[23]
Schwarz, B., Chen, H., Wagner, D., Lin, J., Tu, W., Morrison, G., and West, J. Model checking an entire Linux distribution for security violations. In Proc 21st Computer Security Applications Conference (2005), pp. 13--22.
[24]
Scott, K., and Davidson, J. Strata: A software dynamic translation infrastructure. Tech. rep., University of Virginia, 2001.
[25]
Scott, K., and Davidson, J. Safe virtual execution using software dynamic translation. ACSAC'02: Annual Computer Security Applications Conference (2002), 209.
[26]
Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS'07: Proc. 14th ACM conf. Computer and Communications Security (Oct. 2007), S. De Capitani di Vimercati and P. Syverson, Eds., ACM Press, pp. 552--61.
[27]
Spillane, R. P., Gaikwad, S., Chinni, M., Zadok, E., and Wright, C. P. Enabling transactional file access via lightweight kernel extensions. In FAST'09: Proc. 7th conf. on File and storage technologies (2009), pp. 29--42.
[28]
suk Lhee, K., and Chapin, S. J. Detection of file-based race conditions. Int'l Journal Information Security 4, 1--2 (2005), 105--119.
[29]
Tsafrir, D., Hertz, T., Wagner, D., and Da Silva, D. Portably solving file TOCTTOU races with hardness amplification. In FAST'08: Proc. 6th USENIX Conf. on File and Storage Technologies (2008), pp. 13:1--13:18.
[30]
Tsafrir, D., Hertz, T., Wagner, D., and Da Silva, D. Portably preventing file race attacks with user-mode path resolution. Tech. Rep. RC24572, IBM T. J. Watson Research Center, June 2008.
[31]
Tsyrklevich, E., and Yee, B. Dynamic detection and prevention of race conditions in file accesses. In Proc. 12th USENIX Security Symposium (2003), pp. 243--255.
[32]
Uppuluri, P., Joshi, U., and Ray, A. Preventing race condition attacks on file-systems. In SAC'05: Proc. ACM Symposium on Applied computing (2005), SAC '05, pp. 346--353.
[33]
Viega, J., Bloch, J., Kohno, T., and McGraw, G. ITS4: a static vulnerability scanner for C and C+ code. In ACSAC'00: Ann. Comput. Security Applications Conf. (2000).
[34]
vladz. Xorg file permission change vulnerability (CVE-2011--4029). http://vladz.devzero.fr/Xorg-CVE-2011--4029.txt.
[35]
Wei, J., and Pu, C. TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study. In FAST'05: Proc. 4th conf. USENIX Conf. File and Storage Technologies (2005), pp. 12--12.
[36]
Wei, J., and Pu, C. A methodical defense against TOCTTOU attacks: the EDGI approach. In ISSSE'06: IEEE Int'l Symp. on Secure Software Engineering (2006).
[37]
Wright, C. P., Spillane, R., Sivathanu, G., and Zadok, E. Extending ACID semantics to the file system. Trans. Storage 3 (June 2007).

Cited By

View all
  • (2023)Unsafe at any copyProceedings of the 21st USENIX Conference on File and Storage Technologies10.5555/3585938.3585950(183-197)Online publication date: 21-Feb-2023
  • (2022)Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic ReviewIEEE Access10.1109/ACCESS.2022.315306410(21742-21758)Online publication date: 2022
  • (2018)Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU FeaturesProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196508(587-600)Online publication date: 29-May-2018
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
VEE '12: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
March 2012
248 pages
ISBN:9781450311762
DOI:10.1145/2151024
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 47, Issue 7
    VEE '12
    July 2012
    229 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/2365864
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. TOCTTOU races
  2. dynamic protection
  3. file-based TOCTTOU race protection
  4. race protection
  5. security
  6. virtualization

Qualifiers

  • Research-article

Conference

VEE '12

Acceptance Rates

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)17
  • Downloads (Last 6 weeks)1
Reflects downloads up to 04 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Unsafe at any copyProceedings of the 21st USENIX Conference on File and Storage Technologies10.5555/3585938.3585950(183-197)Online publication date: 21-Feb-2023
  • (2022)Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic ReviewIEEE Access10.1109/ACCESS.2022.315306410(21742-21758)Online publication date: 2022
  • (2018)Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU FeaturesProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196508(587-600)Online publication date: 29-May-2018
  • (2018)Vanguard: A Cache-Level Sensitive File Integrity Monitoring System in Virtual Machine EnvironmentIEEE Access10.1109/ACCESS.2018.28511926(38567-38577)Online publication date: 2018
  • (2018)Untrusted Hardware Causes Double-Fetch Problems in the I/O MemoryJournal of Computer Science and Technology10.1007/s11390-018-1842-333:3(587-602)Online publication date: 11-May-2018
  • (2017)CobwebProceedings of the 2nd Workshop on System Software for Trusted Execution10.1145/3152701.3152705(1-7)Online publication date: 28-Oct-2017
  • (2017)DESCRY: reproducing system-level concurrency failuresProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3106266(694-704)Online publication date: 21-Aug-2017
  • (2017)SimEvo: Testing Evolving Multi-process Software Systems2017 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME.2017.29(204-215)Online publication date: Sep-2017
  • (2016)RRF: A Race Reproduction Framework for Use in Debugging Process-Level Races2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE.2016.35(162-172)Online publication date: Oct-2016
  • (2014)JIGSAWProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671287(973-988)Online publication date: 20-Aug-2014
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media