portably preventing file race attacks with user-mode path … · it was previously believed that...
TRANSCRIPT
![Page 1: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/1.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Portably Preventing File Race Attacks with
User-Mode Path ResolutionIBM ResearchDan Tsafrir
Microsoft ResearchTomer Hertz
UC BerkeleyDavid Wagner
IBM Research [email protected]
Dilma Da Silva
![Page 2: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/2.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Given a “check use” pair of file operations:
TOCTTOU(Time Of Check To Time Of Use)
1) Check something about filename “f”
2) Based on the result, use “f” in some way
• A TOCTTOU race condition lurks here
![Page 3: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/3.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Example 1: garbage collector
root
unlink ( /tmp/etc/passwd )
readdir ( /tmp )lstat ( /tmp/etc )readdir ( /tmp/etc )lstat ( /tmp/etc/passwd )
attacker
mkdir ( /tmp/etc )creat ( /tmp/etc/passwd )
rename ( /tmp/etc, /tmp/x )symlink ( /etc, /tmp/etc )
![Page 4: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/4.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Example 2: mail server
root
lstat ( /mail/ann )
fd = open ( /mail/ann )
write ( fd, … )
attacker
unlink ( /mail/ann )
symlink (/etc/passwd, /mail/ann )
![Page 5: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/5.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Example 3: setuid
root
if ( access (fname) == 0 ) {
fd = open (fname)read( fd, … ) …
}
attacker
unlink ( fname )symlink ( secret_file , fname )
access() manual: “The access system call is a potential security hole due to race conditions and should never be used.”
![Page 6: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/6.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
New APISchumuck & Wylie 1991; Maziéres & Kasshoek 1997; Wright et al. 2007
Existing Solutions
Static detectionBishop 1995; Viega et al. 2000; Chess 2002; Chen & Wagner 2002; Schwartz et al. 2005;
Dynamic detectionKo & Redmond 2001; Goyal et al. 2003; Lhee & Chapin 2005; Joshi et al. 2005; Wei & Pu 2005; Aggarwal & Jalote 2006
Dynamic preventionCowen et al. 2001; Tsyrklevich & Yee 2003; Park et al. 2004; Uppuluri et al. 2005; Wei & Pu 2006
![Page 7: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/7.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
(106)(73)
Vulnerabilities are widespreadsy
mlin
k at
tack
vuln
erab
iliti
es
per-year data from the NVD(National Vulnerability Database)
![Page 8: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/8.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
The problem: No solution for existing systems !
Static detectionFinds races, doesn’t fix them
Prevention & new APIsNot prevalent
But once a race is found…What should the programmer do?
Much harder to solve than, say, buffer overflow
Even for experts
![Page 9: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/9.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Previously suggested solutions for the access-open race
1. Switch to “real” identity before open=> Not portable [ see “Setuid Demystified”,
Usenix Security 2001 ]
2. Do open + fstat to check ownership=> Bug
3. Use Unix-domain socket to pass open fd=> Not portable X 2
4. Use hardness amplification=> Discussed next…
![Page 10: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/10.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
#define SYS ( call ) if( (call) == -1 ) return -1
int access_open ( char * fname ) {
}
SYS( access ( fname, R_OK ) );SYS( fd2 = open ( fname, O_RONLY ) );SYS( fstat ( fd2 , & s2 ) );
Hardness amplification[Dean & Hu, Usenix Security 2004]
SYS( access ( fname, R_OK ) );SYS( fd1 = open ( fname, O_RONLY ) );SYS( fstat ( fd1 , & s1 ) );
p
p2K
for ( i = 1 … K ) {
}
SYS( access ( fname, R_OK ) );SYS( fd1 = open ( fname, O_RONLY ) );SYS( fstat ( fd1 , & s1 ) );
SYS( close ( fd2 ) );CHK( CMP ( & s1 , & s2 ) );
return fd1;
![Page 11: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/11.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Defeating the K-race[Borisov et al., Usenix Security 2005]
“ link1 / link2 / link3 / … / linkN / file ”
“ chain3 / d / d / … / d / … ”
“ chain1 / d / d / … / d / link2 ”
“ chain2 / d / d / … / d / link3 ”
“ chainN-1 / d / d / … / d / linkN ”
…
“ target_directory / file ”
Filesystem maze:
Composed of 10,000s of directory entries
Requires 100s of Megabytes!
![Page 12: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/12.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Defeating the K-race[Borisov et al., Usenix Security 2005]
Maze takes a long time to traverseOften results in going to disk
Path traversal updates symlink access timeAttacker can poll symlink access time and figure out what the defender is doing
The attack (tricking victim to open ‘secret’)Just before access() set target file to be publicJust before open() set target file to be ‘secret’
![Page 13: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/13.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Defeating the K-race[Borisov et al., Usenix Security 2005]
Prepare K+1 mazes that point to a public filePrepare K+1 mazes that point to a private file
1) Link “link1” to “chain1” of ith public mazePoll atime
for( i = 0 … K )
2) Link “link1” to “chain1” of ith private mazePoll atime
Maze attack:
![Page 14: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/14.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Consequences
It was previously believed that
[Wei and Pu, FAST 2005]:“TOCTTOU vulnerabilities are hard to exploit, because they […] relay on whether the attacking code is executed within the usually narrow window of vulnerability (on the orders of milliseconds).”
• This is no longer the case…- The maze attack always wins (p ≈ 1)- And is generic!
![Page 15: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/15.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Filepath syscalls are O(n) algorithmsopen, stat, chdir, access, chown, …n = path’s component numberMust visit n inodes
Dean & Hu’s K-race technique is O(n•K)file (n = 3): “f1 / f2 / f3”
K-race visits (K = 2): f1, f2, f3, f1, f2, f3
Row-oriented traversal
f1 / f2 / f3 / … / fn
f1 / f2 / f3 / … / fn
f1 / f2 / f3 / … / fn
K rows
n columns… … … …
![Page 16: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/16.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Column-oriented traversal
f1 / f2 / f3 / … / fn
f1 / f2 / f3 / … / fn
f1 / f2 / f3 / … / fn
K rows
n columns… … … …
![Page 17: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/17.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Column-oriented traversal
int access_open( char * fname ) {
}
if( fname is absolute ) chdir ( “/” ) + make relative
foreach atom in fname do // atoms of “x/y” are “x” and “y”
if( is symlink ) SYS( fd = access_open( atom’s target ) )else SYS( fd = atom_race ( atom, & s ) )
if( not last ) SYS( fchdir (fd) ; close (fd) )else break
return fd
![Page 18: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/18.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
How safe is it?
Obviously, maze attack failsBut maybe someday somebody will do better?We seek a stronger result, with the help of a hypothetical “know all” attack:
Exposed defender: for( i = 1 … 106 )
s = LSTAT ; lstat ( f , & s1 ) s = ACCESS ; access ( f )s = OPEN ; fd = open ( f )s = FSTAT ; fstat ( fd, & s2)s = CLOSE ; close ( fd )
if( ! syscalls failed &&! symlink( s1 ) &&s1.inode == s2.inode &&s1.inode == secret_ino )
losses++
![Page 19: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/19.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
How safe is it?
UltraSPARC-II448 MHz4 cpus
Solaris 8
Pentium-III550 MHz
4 cpusLinux 2.4.16
PowerPC/41.45 GHz
8 cpusAIX 5.3
AMD dual core 2.2 GHz4 cpus
Linux 2.6.22
Intel Core 2 Duo2.4 GHz2 cpus
Linux 2.6.20
0
5
10
15local FS
NFS
K value for attack duration > 100 years
![Page 20: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/20.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Papers
Previous slides - conference version“Portably solving file TOCTTOU races with hardness amplification”In USENIX Conference on File and Storage Technologies (FAST)Feb 2008
Following slides - journal version“Portably preventing file race attacks with user-mode path resolution”Submitted (TISSEC)
![Page 21: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/21.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
int access_open( char * fname ) {
if( fname is absolute ) chdir ( “/” ) + make relative
foreach atom in fname do // atoms of “x/y” are “x” and “y”
if( is symlink ) SYS( fd = access_open( atom’s target ) )else SYS( fd = ( atom, & s ) )atom_race
Must it be probabilistic?
if( not last ) SYS( fchdir (fd) ; close (fd) )else break
return fd}
![Page 22: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/22.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Must it be probabilistic?
if( fname is absolute ) chdir ( “/” ) , make relative
foreach atom in fname do // atoms of “x/y” are “x” and “y”
if( is symlink ) SYS( fd = access_open( atom’s target ) )else SYS …
struct credentials {uid_t uid;gid_t gid;gid_t *supplementary;int size; // of supplementary array
};
int access_open( char * fname ) {, struct credentials * c
( fd = atom_race ( atom, & s ) )( fd = atom_open ( atom, & s, c ) )
![Page 23: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/23.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
if ( c->uid == 0 ) return fd; // rootelse if ( s->uid == c->uid ) return fd if s->mode permits user;
int atom_open( char * atom, struct stat * s, struct credentials * c ) {
SYS( fd = open (atom ) ); // we did lstat (atom, &s) beforeSYS( fstat (fd,&s2) ); // and doing fstat(fd,&s2) afterCHK( CMP (s, &s2) ); // => it’s a hard-link atom
A deterministic solution
close( fd);return -1;
}
else if ( s->gid == c->gid ) return fd if s->mode permits group;else if ( s->gid in c->sup ) return fd if s->mode permits group;else return fd if s->mode permits others;
![Page 24: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/24.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Overhead
UltraSPARC-II448 MHz4 cpus
Solaris 8
Pentium-III550 MHz
4 cpusLinux 2.4.16
PowerPC/41.45 GHz
8 cpusAIX 5.3
AMD dual core 2.2 GHz4 cpus
Linux 2.6.22
Intel Core 2 Duo2.4 GHz2 cpus
Linux 2.6.20
0
2
4
6
Slowdown relative to naive access/open
5
3
1
![Page 25: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/25.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Generalizing
Not just setuid (“check”)Credentials structure decouples identity“Deputy” is no longer confused…Exactly same solution to access-open & mail-server
Not just open (“use”)fd/inode mapping is immutable => invulnerableOnce fd is safely opened, can use fchown, fchmod, ftruncate, fchdir, fstat, … (instead of chown, chmod, truncate, chdir, stat…)
Other check / use operations?
![Page 26: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/26.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Generalizing
typedef int (* transaction_t) (char * atom, struct stat * s, int fd);
int collect_garbage (char * atom, struct stat * s, int fd) {if ( S_ISLNK (s) ) return -1;if ( S_IDDIR (s) ) return 0;if ( s->atime > time(0) - 72*3600 ) return unlink (atom);return 0;
}
int check_use (
int flags, // for when open()ing last atomtransaction_t tr); // applied to each atom along ‘fname’
char * fname, // filepath to check/usestruct credentials * c, // with these credentials
![Page 27: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/27.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Limitations
File creationRace typically associated with temp files
File executionCan’t open file “for execution” (only read/write)No standard fexec
MultithreadingDue to fchdir But openat(2) will solve this problem
![Page 28: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/28.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Conclusions
POSIX filesystem API is brokenSemantics inherently promote TOCTTOU races
Existing solutions can only locate racesBut otherwise relate to non-prevalent systemsProgrammers are on their own
We propose user-mode path resolutionEffectively binds check/use pairs in a generic wayEfficiency/safety tradeoff becomes explicitPairs encapsulated, new programmers educated
![Page 29: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/29.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
Thanks !
![Page 30: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/30.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
BACKUP SLIDES
![Page 31: Portably Preventing File Race Attacks with User-Mode Path … · It was previously believed that [Wei and Pu, FAST 2005]: “TOCTTOU vulnerabilities are hard to exploit, because they](https://reader031.vdocuments.net/reader031/viewer/2022011916/5fda9e05b2c0d57a2f23e24e/html5/thumbnails/31.jpg)
Storage Developer Conference 2008 © 2008 IBM. All Rights Reserved.
www.storage-developer.org
How safe is it?
Expected time TK until K consecutive rounds are lost:
Measure t & p under “ideal” attack conditions:SMPs / CMPs only (some older & slower)Multiple attackers, different busy-wait periodsSmall memory, recursive bg grep-s, huge dir
t = avg. time to finish one roundp = probability to lose one round
TK = t • p -K