Multiprocessors May Reduce System Dependability under File-Based Race Condition Attacks

Attacks exploiting race conditions have been considered rare and "low risk". However, the increasing popularity of multiprocessors has changed this situation: instead of waiting for the victim process to be suspended to carry out an attack, the attacker can now run on a dedicated processor and actively seek attack opportunities. This change from fortuitous encountering to active exploiting may greatly increase the success probability of race condition attacks. This point is exemplified by studying the TOCTTOU (Time-of- Check-to-Time-of-Use) race condition attacks in this paper. We first propose a probabilistic model for predicting TOCTTOU attack success rate on both uniprocessors and multiprocessors. Then we confirm the applicability of this model by carrying out TOCTTOU attacks against two widely used utility programs: vi and gedit. The success probability of attacking vi increases from low single digit percentage on a uniprocessor to almost 100% on a multiprocessor. Similarly, the success rate of attacking gedit jumps from almost zero to 83%. These case studies suggest that our model captures the sharply increased risks, and hence the decreased dependability of our systems, represented by race condition attacks such as TOCTTOU on the next generation multiprocessors.

[1]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[2]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[3]  Calton Pu,et al.  A Methodical Defense against TOCTTOU Attacks: The EDGI Approach , 2006 .

[4]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[5]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[6]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[7]  Steve J. Chapin,et al.  Detection of file-based race conditions , 2005, International Journal of Information Security.

[8]  Nikita Borisov,et al.  Fixing Races for Fun and Profit: How to Abuse atime , 2005, USENIX Security Symposium.

[9]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[10]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[11]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[12]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[13]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[14]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[15]  Calton Pu,et al.  TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study , 2005, FAST'05.

[16]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[17]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[18]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[19]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[20]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.