Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems

TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain condition about the file object (e.g., the file exists), followed by a use operation that assumes that the established condition still holds. Due to the lack of support for transactions in Unix-style file systems, an attacker can modify the established file condition in-between the check and use steps, thus causing significant harm. In this paper, we present a model of the TOCTTOU problem (called STEM), which enumerates all the potential file system call pairs (called exploitable TOCTTOU pairs) that form the check/use steps. The model shows that a successful TOCTTOU attack requires a change in the mapping of pathname to logical disk blocks between the check and use steps. We apply STEM to POSIX and Linux to demonstrate its practical value for Unix-style file systems. Then we propose a defense mechanism (called EDGI) that prevents an attacker from tampering with the file condition between exploitable TOCTTOU pairs during a vulnerable program’s execution. EDGI works at the file system level and does not require existing applications to change. We have implemented EDGI on Linux kernel 2.4.28 and our evaluation shows that EDGI is effective and incurs little overhead to application benchmarks such as Andrew and Postmark.