A Methodical Defense against TOCTTOU Attacks: The EDGI Approach

TOCTTOU is a challenging and significant problem, involving two-step (check and use) file object access by a victim process and simultaneously an attacker access to the same file object in-between the two steps. We describe a model-based, event-driven defense mechanism (called EDGI), which prevents such attacks by stopping the second process in-between the two steps. Our main contribution is the systematic design and implementation of EDGI defense and its evaluation. EDGI has no false negatives and very few false positives. It works without changing application code or API. A Linux kernel implementation shows the practicality of the EDGI defense, and an experimental evaluation shows low additional overhead on representative workloads.

[1]  J. Howard Et El,et al.  Scale and performance in a distributed file system , 1988 .

[2]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[3]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[4]  Matt Bishop,et al.  Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux , 1995 .

[5]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[6]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[7]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[8]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[9]  Calton Pu,et al.  TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study , 2005, FAST'05.

[10]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[11]  Umeshwar Dayal,et al.  The architecture of an active database management system , 1989, SIGMOD '89.

[12]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[13]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[14]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[15]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[16]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[17]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[18]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[19]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.