Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems

TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file exists), followed by a use operation that assu...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Computers & security Ročník 29; číslo 8; s. 815 - 830
Hlavní autoři: Wei, Jinpeng, Pu, Calton
Médium: Journal Article
Jazyk:angličtina
Vydáno: Amsterdam Elsevier Ltd 01.11.2010
Elsevier Sequoia S.A
Témata:
Benchmarks
Computer information security
Computer programming
Computer simulation
Computer viruses
Cybersecurity
Defense
Defense mechanisms
Disks
Invariant
Kernel
Kernels
Linux
Mapping
Modeling
Race
Race condition
Scanning transmission electron microscopy
Studies
TOCTTOU
Transactions
UNIX
UNIX (operating system)
Vulnerabilities
Vulnerability
Windows (computer programs)
Invariant
Race condition
Vulnerabilities
Modeling
Kernel
Defense
TOCTTOU
ISSN:0167-4048, 1872-6208
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file exists), followed by a use operation that assumes that the established condition still holds. Due to the lack of support for transactions in Unix-style file systems, an attacker can modify the established file condition in-between the check and use steps, thus causing significant harm. In this paper, we present a model of the TOCTTOU problem (called STEM), which enumerates all the potential file system call pairs (called exploitable TOCTTOU pairs) that form the check/use steps. The model shows that a successful TOCTTOU attack requires a change in the mapping of pathname to logical disk blocks between the check and use steps. We apply STEM to POSIX and Linux to demonstrate its practical value for Unix-style file systems. Then we propose a defense mechanism (called EDGI) that prevents an attacker from tampering with the file condition between exploitable TOCTTOU pairs during a vulnerable program’s execution. EDGI works at the file system level and does not require existing applications to change. We have implemented EDGI on Linux kernel 2.4.28 and our evaluation shows that EDGI is effective and incurs little overhead to application benchmarks such as Andrew and Postmark.
Bibliografie:SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ObjectType-Article-2
content type line 23
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2010.09.004