JIGSAW: Protecting Resource Access by Inferring Programmer Expectations

Processes retrieve a variety of resources, such as files, from the operating system to function. However, securely accessing resources has proven to be a challenging task, accounting for 10-15% of vulnerabilities reported each year. Current defenses address only a subset of these vulnerabilities in ad-hoc and incomplete ways. In this paper, we provide a comprehensive defense against vulnerabilities during resource access. First, we identify a fundamental reason that resource access vulnerabilities exist - a mismatch between programmer expectations and the actual environment the program runs in. To address such mismatches, we propose JIGSAW, a system that can automatically derive programmer expectations and enforce it on the deployment. JIGSAW constructs programmer expectations as a name flow graph, which represents the data flows from the inputs used to construct file pathnames to the retrieval of system resources using those pathnames. We find that whether a program makes any attempt to filter such flows implies expectations about the threats the programmer expects during resource retrieval, the enabling JIGSAW to enforce those expectations. We evaluated JIGSAW on widely-used programs and found that programmers have many implicit expectations. These mismatches led us to discover two previously-unknown vulnerabilities and a default misconfiguration in the Apache webserver. JIGSAW enforces program expectations for approximately 5% overhead for Apache webservers, thus eliminating vulnerabilities due to resource access efficiently and in a principled manner.

[1]  Trent Jaeger,et al.  STING: Finding Name Resolution Vulnerabilities in Programs , 2012, USENIX Security Symposium.

[2]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[3]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[4]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[5]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[6]  Calton Pu,et al.  TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study , 2005, FAST'05.

[7]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[8]  Shai Halevi,et al.  Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation , 2010, NDSS.

[9]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[10]  Jongwoon Park,et al.  RPS: An Extension of Reference Monitor to Prevent Race-Attacks , 2004, PCM.

[11]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[12]  Thomas R. Gross,et al.  Protecting applications against TOCTTOU races by user-space caching of file metadata , 2012, VEE '12.

[13]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[14]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[15]  Elisa Bertino,et al.  A system to specify and manage multipolicy access control models , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[16]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[17]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[18]  Steve J. Chapin,et al.  Detection of file-based race conditions , 2005, International Journal of Information Security.

[19]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[20]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[21]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[22]  Arnab Ray,et al.  Preventing race condition attacks on file-systems , 2005, SAC '05.

[23]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[24]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[25]  Donald E. Porter,et al.  Operating System Transactions , 2009, SOSP '09.

[26]  Trent Jaeger,et al.  Integrity walls: finding attack surfaces from mandatory access control policies , 2012, ASIACCS '12.

[27]  Trent Jaeger,et al.  Process firewalls: protecting processes during resource access , 2013, EuroSys '13.

[28]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[29]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[30]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[31]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[32]  Thomas R. Gross,et al.  Lightweight Memory Tracing , 2013, USENIX Annual Technical Conference.

[33]  Tzi-cker Chiueh,et al.  A General Dynamic Information Flow Tracking Framework for Security Applications , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[34]  Tomer Hertz,et al.  Portably Solving File TOCTTOU Races with Hardness Amplification , 2008, FAST.

[35]  R. Sekar An Efficient Black-box Technique for Defeating Web Application Attacks , 2009, NDSS.

[36]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[37]  HardyNorm The Confused Deputy , 1988 .

[38]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[39]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[40]  Calton Pu,et al.  A Methodical Defense against TOCTTOU Attacks: The EDGI Approach , 2006 .

[41]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[42]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.