Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems
نویسندگان
چکیده
TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain condition about the file object (e.g., the file exists), followed by a use operation that assumes that the established condition still holds. Due to the lack of support for transactions in Unix-style file systems, an attacker can modify the established file condition in-between the check and use steps, thus causing significant harm. In this paper, we present a model of the TOCTTOU problem (called STEM), which enumerates all the potential file system call pairs (called exploitable TOCTTOU pairs) that form the check/use steps. The model shows that a successful TOCTTOU attack requires a change in the mapping of pathname to logical disk blocks between the check and use steps. We apply STEM to POSIX and Linux to demonstrate its practical value for Unix-style file systems. Then we propose a defense mechanism (called EDGI) that prevents an attacker from tampering with the file condition between exploitable TOCTTOU pairs during a vulnerable program’s execution. EDGI works at the file system level and does not require existing applications to change. We have implemented EDGI on Linux kernel 2.4.28 and our evaluation shows that EDGI is effective and incurs little overhead to application benchmarks such as Andrew and Postmark.
منابع مشابه
Portably Solving File TOCTTOU Races with Hardness Amplification
The file-system API of contemporary systems makes programs vulnerable to TOCTTOU (time of check to time of use) race conditions. Existing solutions either help users to detect these problems (by pinpointing their locations in the code), or prevent the problem altogether (by modifying the kernel or its API). The latter alternative is not prevalent, and the former is just the first step: programm...
متن کاملFile System Security: Secure Network Data Sharing for NT and Unix
Sharing network data between UNIX and NT systems is becoming increasingly important as NT moves into areas previously serviced entirely by UNIX. One difficulty in sharing data between UNIX and NT is that their file system security models are quite different. NT file servers use access control lists (ACLs) that allow permissions to be specified for an arbitrary number of users and groups, while ...
متن کاملMerging NT and UNIX Filesystem Permissions
Sharing network data between NT and UNIX systems is becoming increasingly important as NT moves into areas previously serviced entirely by UNIX. One difficulty in sharing data is that the two filesystem security models are quite different. NT file servers use access control lists (ACLs) that allow permissions to be specified for an arbitrary number of users and groups, while UNIX NFS servers us...
متن کاملModel-Based Analysis of Configuration Vulnerabilities
Vulnerability analysis is concerned with the problem of identifying weaknesses in computer systems that can be exploited to compromise their security. In this paper we describe a new approach to vulnerability analysis based on model checking. Our approach involves: • Formal specification of desired security properties. An example of such a property is “no ordinary user can overwrite system log ...
متن کاملPortably solving the access(2)/open(2) race
The access(2)/open(2) file-system race is the canonical example of a time-of-check-to-time-of-use (TOCTTOU) error in which a setuid binary checks that a user has permission to open a file prior to opening it. By changing the state of the file-system between the calls to access(2) and open(2), an attacker can cause the program to open a file to which the user does not have access. This race has ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- Computers & Security
دوره 29 شماره
صفحات -
تاریخ انتشار 2010