Portably Solving File TOCTTOU Races with Hardness Amplification

The file-system API of contemporary systems makes programs vulnerable to TOCTTOU (time of check to time of use) race conditions. Existing solutions either help users to detect these problems (by pinpointing their locations in the code), or prevent the problem altogether (by modifying the kernel or its API). The latter alternative is not prevalent, and the former is just the first step: programmers must still address TOCTTOU flaws within the limits of the existing API with which several important tasks can not be accomplished in a portable straightforward manner. Recently, Dean and Hu addressed this problem and suggested a probabilistic hardness amplification approach that alleviated the matter. Alas, shortly after, Borisov et al. responded with an attack termed "filesystem maze" that defeated the new approach. We begin by noting that mazes constitute a generic way to deterministically win many TOCTTOU races (gone are the days when the probability was small). In the face of this threat, we (1) develop a new user-level defense that can withstand mazes, and (2) show that our method is undefeated even by much stronger hypothetical attacks that provide the adversary program with ideal conditions to win the race (enjoying complete and instantaneo us knowledge about the defending program's actions and being able to perfectly synchronize accordingly). The fact that our approach is immune to these unrealistic attacks suggests it can be used as a simple and portable solution to a large class of TOCTTOU vulnerabilities, without requiring modifications to the underlying operating system.

[1]  David A. Wagner,et al.  Setuid Demystified , 2002, USENIX Security Symposium.

[2]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[3]  Arnab Ray,et al.  Preventing race condition attacks on file-systems , 2005, SAC '05.

[4]  William S. McPhee Operating System Integrity in OS/VS2 , 1974, IBM Syst. J..

[5]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[6]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[7]  Steve J. Chapin,et al.  Detection of file-based race conditions , 2005, International Journal of Information Security.

[8]  David Mazières,et al.  Secure applications need flexible operating systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[9]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[10]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[11]  Matt Bishop,et al.  Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux , 1995 .

[12]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Calton Pu,et al.  Multiprocessors May Reduce System Dependability under File-Based Race Condition Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[14]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[15]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[16]  Pankaj Jalote,et al.  Monitoring the Security Health of Software Systems , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[17]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[18]  T. Redmond,et al.  Noninterference and intrusion detection , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[19]  Frank B. Schmuck,et al.  Experience with transactions in QuickSilver , 1991, SOSP '91.

[20]  Jongwoon Park,et al.  RPS: An Extension of Reference Monitor to Prevent Race-Attacks , 2004, PCM.

[21]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[22]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[23]  Jun-ichiro itojun Hagino E – RFC3542 “Advanced Sockets Application Program Interface (API) for IPv6” , 2005 .

[24]  Calton Pu,et al.  TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study , 2005, FAST'05.

[25]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[26]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[27]  Nikita Borisov,et al.  Fixing Races for Fun and Profit: How to Abuse atime , 2005, USENIX Security Symposium.

[28]  S. Venkatesan,et al.  A Unified Approach to Detecting Binding Based Race Condition Attacks , 2003 .

[29]  Erez Zadok,et al.  Extending ACID semantics to the file system , 2007, TOS.

[30]  Matt Thomas,et al.  Advanced Sockets Application Program Interface (API) for IPv6 , 2003, RFC.

[31]  Calton Pu,et al.  A Methodical Defense against TOCTTOU Attacks: The EDGI Approach , 2006 .

[32]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.