Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems

TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file exists), followed by a use operation that assu...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security Vol. 29; no. 8; pp. 815 - 830
Main Authors: Wei, Jinpeng, Pu, Calton
Format: Journal Article
Language:English
Published: Amsterdam Elsevier Ltd 01.11.2010
Elsevier Sequoia S.A
Subjects:
Benchmarks
Computer information security
Computer programming
Computer simulation
Computer viruses
Cybersecurity
Defense
Defense mechanisms
Disks
Invariant
Kernel
Kernels
Linux
Mapping
Modeling
Race
Race condition
Scanning transmission electron microscopy
Studies
TOCTTOU
Transactions
UNIX
UNIX (operating system)
Vulnerabilities
Vulnerability
Windows (computer programs)
Invariant
Race condition
Vulnerabilities
Modeling
Kernel
Defense
TOCTTOU
ISSN:0167-4048, 1872-6208
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:TOCTTOU (Time-of-Check-To-Time-Of-Use) is a file-based race condition in Unix-style systems and characterized by a pair of file object access by a vulnerable program: a check operation establishes certain conditions about the file object (e.g., the file exists), followed by a use operation that assumes that the established condition still holds. Due to the lack of support for transactions in Unix-style file systems, an attacker can modify the established file condition in-between the check and use steps, thus causing significant harm. In this paper, we present a model of the TOCTTOU problem (called STEM), which enumerates all the potential file system call pairs (called exploitable TOCTTOU pairs) that form the check/use steps. The model shows that a successful TOCTTOU attack requires a change in the mapping of pathname to logical disk blocks between the check and use steps. We apply STEM to POSIX and Linux to demonstrate its practical value for Unix-style file systems. Then we propose a defense mechanism (called EDGI) that prevents an attacker from tampering with the file condition between exploitable TOCTTOU pairs during a vulnerable program’s execution. EDGI works at the file system level and does not require existing applications to change. We have implemented EDGI on Linux kernel 2.4.28 and our evaluation shows that EDGI is effective and incurs little overhead to application benchmarks such as Andrew and Postmark.
Bibliography:SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ObjectType-Article-2
content type line 23
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2010.09.004