Fixing Races For Good: Portable and Reliable UNIX File-System Race Detection

We present a system for performing arbitrary sequences of filesystem operations and provably detecting any violation of serializable isolation semantics, i.e. any interleaving of attacker and defender actions is equivalent to a non-interleaved sequence of attacker and defender actions. Thus, our system provides a provably secure defense against all UNIX file-name race conditions, including the infamous access/open race. Our solution operates entirely in user-space and is portable to any POSIX.1-2008 system, making it usable today. Developers can adopt our solution selectively, using it for security-critical code and using the standard POSIX interface for non-security-critical parts of their programs. Furthermore, the proofs of correctness suggest several simple improvements to the POSIX standard.

[1]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[2]  Donald E. Porter,et al.  Operating System Transactions , 2009, SOSP '09.

[3]  Erez Zadok,et al.  Extending ACID semantics to the file system , 2007, TOS.

[4]  Tomer Hertz,et al.  Portably Solving File TOCTTOU Races with Hardness Amplification , 2008, FAST.

[5]  M. Merkow,et al.  2010 CWE/SANS Top 25 Most Dangerous Programming Errors , 2010 .

[6]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Steve J. Chapin,et al.  Detection of file-based race conditions , 2005, International Journal of Information Security.

[8]  Arnab Ray,et al.  Preventing race condition attacks on file-systems , 2005, SAC '05.

[9]  Nikita Borisov,et al.  Fixing Races for Fun and Profit: How to Abuse atime , 2005, USENIX Security Symposium.

[10]  Tomer Hertz,et al.  Portably Preventing File Race Attacks with User-Mode Path Resolution IBM Research , 2008 .

[11]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Jim Gray,et al.  A critique of ANSI SQL isolation levels , 1995, SIGMOD '95.

[13]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[14]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[15]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[16]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[17]  Calton Pu,et al.  A Methodical Defense against TOCTTOU Attacks: The EDGI Approach , 2006 .

[18]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[19]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[20]  Tomer Hertz,et al.  Portably solving file races with hardness amplification , 2008, TOS.

[21]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[22]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.