exploiting unix file system races via algorithmic
play

Exploiting Unix File-System Races via Algorithmic Complexity Attacks - PowerPoint PPT Presentation

Oct 14, 2022 •327 likes •643 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Exploiting Unix File-System Races via Algorithmic Complexity

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson Presented By: Philip Koshy Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Background • Unix (and its variants) offers a rich system call interface. Some examples include: access() Checks permissions on a file open() Opens a file link() Creates a link to an existing file unlink() Deletes a link to a file (can also delete the file) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Background setuid() When a program is executed, run the program with the privilege of the owner (which is typically the root user). This function is the root of all evil. (Pun intended.) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. setuid() • The ‘passwd’ utility is owned by root but can be run by unprivileged users. (i.e., mode bits are 755) • This utility needs to modify sensitive system files (e.g, /etc/shadow) which are owned by root. • When passwd runs, it runs as root, instead of the unprivileged user. � Otherwise, no user could change their password! Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. But… • It seems as if an unprivileged user can read/modify privileged files? � Only in ways authorized by the setuid-root program in question � In our example, passwd is part of our TCB • Utility programmers can use access() to check the permission of the real uid (i.e., unprivileged user), as opposed to the effective user id (i.e., root) • If we call access() before open(), we should be safe…right? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Simple setuid-root program void main(int argc, char **argv) { int fd; if (access(argv[1], R_OK) != 0) exit(1); fd = open(argv[1], O_RDONLY); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. So far so good… T access(“file”, R_OK) i m e open(“file”, O_RDONLY) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. The problem Victim Attacker T access(“file”, R_OK) Context Switch i unlink(“file”) link(“/etc/shadow”, “file”) m Context Switch e open(“file”, O_RDONLY) This file contains passwords (albeit encrypted…) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. Code Snippet Attacker Code Victim Code (Calls the Victim Code) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. The result • The attacker can force a poorly written setuid- root program into opening a file for which the user does not have access. • This is due to the imprecision inherent in treating Unix file-system paths as simple strings. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Key Problem Programmers T access(“file”, R_OK) incorrectly assume these i calls are ‘Atomic.’ m This leads to the TOCTTOU attack. e (Time Of Check To Time Of Use) open(“file”, O_RDONLY) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. A race to the finish! Victim Attacker T i m e If the attacker can interleave code correctly, they win! Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Existing Defenses • This paper invalidates two previously proposed defenses to file-system TOCTTOU attacks. � Atomic k-Race � TY-Race • We look mostly at the Atomic k-Race defense • The TY-Race is trivially broken if any victim system call is delayed by more than 2 seconds. � We’ll see how this is possible later. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. More Background • We’ve seen that the (A)ccess/(O)pen design pattern can be broken. � This is possible because the attacker can interleave commands. � The original call sequence of AO became AsO Where s = switch to a secret file • We need a way to make sure that the file we’ve checked for access is the file we’ve actually opened. • What if we can determine something akin to the identity of a file before and after usage? (Maybe the inode number?) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. System Calls • One measure of a file’s identity is the file’s status, which takes the form of a ‘stat’ structure • The status information includes: � ID of the device containing the file � inode number Most reliable metric of � Mode bits of the file file ‘identity’ � number of hard links � user and group id � Many more fields… Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. System Calls • The status information can be retrieved using two system calls: lstat( char* path, struct stat* status ) Retrieves the status of a file. If the file is a symlink, it retrieves its status (as opposed to the underlying file.) fstat( int fd, struct stat* status ) Retrieves the status of an already open file. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. A revised approach • What if we called the following in sequence? � Lstat( char* path) // Get unique identity of path � Access( char* path ) � Open( char* path) � Fstat( int fd ) // Get unique identity of opened file If the result of lstat() != fstat(), we likely have a problem. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. A revised approach • Unfortunately, the LAOF sequence is still susceptible to file-system races! • LAOF may becomes sLaAsOF Where s = switch to a secret file a = switch to an accessible file • The attacker would need to use lstat() with the same secret file he wants to open(). • The access check is invalidated if the attacker can reroute the check to a file he has access to. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Atomic k-Trace motivation • We can increase the LAOF sequence’s tolerance to failure. • If we repeatedly apply the LAOF sequence, we can achieve a probabilistic defense. • If we repeat LAOF k-times, how likely is it that an attacker can interleave code *every* time? � It was assumed to be difficult � Spoiler: It’s not. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  20. Atomic k-Race Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  21. Atomic k-Race This algorithm is essentially LAOF, repeated ‘krounds’ times. The security of Atomic k-Race is � ���� where p is the attacker’s ability to win a *single* race. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. The attack vector • The authors show they can deterministically do an arbitrary amount of work between the victim’s system calls. • They can control the OS scheduler. • The paper shows that the successful interleaving in LAOF for *multiple* iterations can be achieved with very high success rates. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. The attack vector • Pseudo-code: Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. sLaAsOsF Prepare Secret Lstat() Prepare Accessible Access() Prepare Secret Open() Prepare Secret Fstat() Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

  25. Attack Requirements The attacker’s sleep timer must expire in the middle of the victim’s system call. The OS scheduler runs between the victim’s system calls. The scheduler sees the attacker’s expired timer and must run the attacker code immediately after. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 25

  26. First Requirement • The attacker’s sleep timer must expire in the middle of the victim’s system call. � Problem: A sleep command has a much higher granularity (measured in milliseconds/seconds) than a system call (measured in microseconds). � Solution: Slow down system calls until their granularity surpasses that of sleep(). Systems and Internet Infrastructure Security (SIIS) Laboratory Page 26

  27. First Requirement • How do we slow down a system call? • The kernel keeps an LRU cache of all paths provided to any system call that requires a path using a hash table. • Since the attacker knows the particular path it wants to access, it also knows the hash digest of the target file. • The attacker can create a list of thousands of filenames that cause hash collisions with the target file. (This is the “preparation step”) • This causes the hash table lookups to operate at the worst case of O(n). Systems and Internet Infrastructure Security (SIIS) Laboratory Page 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classical Unix File System Traditional UNIX file system keeps I-node information separately

Classical Unix File System Traditional UNIX file system keeps I-node information separately

Operating Systems, fall 2002 Local File Systems in UNIX Lior Amar, David Breitgand (recitation) www.cs.huji.ac.il/~os Classical Unix File System Traditional UNIX file system keeps I-node information separately from the data blocks;

455 views • 6 slides
Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals

Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals

Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals The information on file system API can be found on section 2 (Unix and C system calls ) of the Unix/Linux man pages ~> man S 2 open

559 views • 41 slides
UNIX File System UNIX File System The UNIX file system has a hierarchical tree structure with

UNIX File System UNIX File System The UNIX file system has a hierarchical tree structure with

UNIX File System UNIX File System The UNIX file system has a hierarchical tree structure with Every directory always has two standard entries. the top in root . The name . in each directory refers to the directory itself. The name

339 views • 8 slides
Administrative: Rock.c The Operating System & System Calls UNIX history - more on

Administrative: Rock.c The Operating System & System Calls UNIX history - more on

Outline Previously (and Chap 1 & 2 from text) Covered Brief UNIX history/interface UNIX overview - process, shell, file Brief intro to basic file I/O - open(), close(), read(), write(), lseek(), fprintf (library call) Unix System

262 views • 4 slides
Basic Unix Commands - File System The File UNIX treats everything as a le... Directories and

Basic Unix Commands - File System The File UNIX treats everything as a le... Directories and

Basic Unix Commands - File System The File UNIX treats everything as a le... Directories and devices like the hard disk, DVD-ROM, and printer are les to UNIX. Three types of les 1. Ordinary le Also known as a regular le,

346 views • 7 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Overview Last Week: Efficiency read/write The File Unix System Programming File

Overview Last Week: Efficiency read/write The File Unix System Programming File

Overview Last Week: Efficiency read/write The File Unix System Programming File pointer File control/access Directories and File System This Week: How to program with directories Brief introduction to the UNIX file system

247 views • 8 slides
Files This Week: Read Chapter 3 Administrative: Rock.c The Operating System &

Files This Week: Read Chapter 3 Administrative: Rock.c The Operating System &

Outline Previously (and Chap 1 & 2 from text) Covered Brief UNIX history/interface UNIX overview - process, shell, file Brief intro to basic file I/O - open(), close(), read(), write(), lseek(), fprintf (library call) Unix System

534 views • 14 slides
K.I.S.S. 1969 Thomson writes interpreter B based on BCPL -- Ritchie improves on B and called it

K.I.S.S. 1969 Thomson writes interpreter B based on BCPL -- Ritchie improves on B and called it

Outline UNIX History UNIX Today? Unix System Programming UNIX Processes and the Login Process Shells: Command Processing, Running Programs The File Introduction The Process System Calls and Library Routines 1 2 Maria

345 views • 10 slides
Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs

Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs

Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs do any sort of I/O, they do it by reading or writing to a file descriptor. A file descriptor is simply an integer associated with an open file.

612 views • 47 slides
Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS Summary New technique turning Background on races

530 views • 37 slides
Operating Systems, fall 2002 Local File Systems in UNIX Lior Amar, David Breitgand (recitation)

Operating Systems, fall 2002 Local File Systems in UNIX Lior Amar, David Breitgand (recitation)

Operating Systems, fall 2002 Local File Systems in UNIX Lior Amar, David Breitgand (recitation) www.cs.huji.ac.il/~os Classical Unix File System Traditional UNIX file system keeps I-node information separately from the data blocks;

358 views • 18 slides
02 Navigating the Unix File System CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew

02 Navigating the Unix File System CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew

02 Navigating the Unix File System CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano January 25, 2019 Cornell University 1 Table of Contents 2. So youve logged in. Or are sitting next to someone who has. 3. Our first

433 views • 29 slides
What is a File? A file is a collection of data elements, grouped together for purpose of

What is a File? A file is a collection of data elements, grouped together for purpose of

CPSC-313: Introduction to Computer Systems UNIX I/O UNIX I/O Files and File Representation Basic operations: Reading / Writing Caching: File Open / Close Multiplexing: Select / Poll File Descriptors Reading: R&R,

391 views • 10 slides
CLASSIC FILE SYSTEMS: FFS AND LFS Hakim Weatherspoon CS6410 A Fast File System for UNIX

CLASSIC FILE SYSTEMS: FFS AND LFS Hakim Weatherspoon CS6410 A Fast File System for UNIX

1 CLASSIC FILE SYSTEMS: FFS AND LFS Hakim Weatherspoon CS6410 A Fast File System for UNIX Marshall K. McKusick, William N. Joy, Samuel J Leffler, and Robert S Fabry Bob Fabry Professor at Berkeley. Started CSRG (Computer Science

350 views • 34 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Front Line Consistency Robin Brogdon, MA President, BluePrints April 30, 2014 Asheville, NC

Front Line Consistency Robin Brogdon, MA President, BluePrints April 30, 2014 Asheville, NC

4/23/2014 Front Line Consistency Robin Brogdon, MA President, BluePrints April 30, 2014 Asheville, NC INTRODUCTION Hiring select the strongest Empowerment everyone will want to follow Build loyalty empowered team members are

481 views • 19 slides
2/10/19 Early Childhood Investigations Webinar February 11, 2019 Strengths-Based Communication

2/10/19 Early Childhood Investigations Webinar February 11, 2019 Strengths-Based Communication

2/10/19 Early Childhood Investigations Webinar February 11, 2019 Strengths-Based Communication The Key to Building Positive Relationships My Book . 1 2/10/19 Time for Change is NOW! The possibility for substantial progress in our

424 views • 18 slides
Whats Next? The Masters Coming 1 Thessalonians 4:13-18 The Message 13-14 And regarding the

Whats Next? The Masters Coming 1 Thessalonians 4:13-18 The Message 13-14 And regarding the

Whats Next? The Masters Coming 1 Thessalonians 4:13-18 The Message 13-14 And regarding the question, friends, that has come up about what happens to those already dead and buried, we dont want you in the dark any longer. First off, you

400 views • 16 slides
Deadlocks - I Tevfik Ko ar University at Buffalo October 3rd, 2013 1 Roadmap

Deadlocks - I Tevfik Ko ar University at Buffalo October 3rd, 2013 1 Roadmap

CSE 421/521 - Operating Systems Fall 2013 Lecture - X Deadlocks - I Tevfik Ko ar University at Buffalo October 3rd, 2013 1 Roadmap Synchronization structures Problems with Semaphores Monitors Condition Variables

469 views • 32 slides
Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 3 Energy in SHM Oct 3, 2011 R. J.

Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 3 Energy in SHM Oct 3, 2011 R. J.

Physics 116 ELECTROMAGNETISM AND OSCILLATORY MOTION Lecture 3 Energy in SHM Oct 3, 2011 R. J. Wilkes Email: ph116@u.washington.edu Announcements - PHYS 116 Course home page: visit frequently for updated course info!

212 views • 19 slides
1 1 One of the many joys of living in Melbourne is a ride along the bike path next to the

1 1 One of the many joys of living in Melbourne is a ride along the bike path next to the

1 ENDING THE GREAT AUSTRALIAN COMPLACENCY OF THE EARLY TWENTY FIRST CENTURY Ross Garnaut Vice-Chancellors Fellow and Professorial Fellow in Economics, The University of Melbourne Victoria University 2013 Vice-Chancellors Lecture

530 views • 26 slides
Yep, I said it before and Ill say it again. Life moves pretty fast. You dont stop and

Yep, I said it before and Ill say it again. Life moves pretty fast. You dont stop and

Yep, I said it before and Ill say it again. Life moves pretty fast. You dont stop and look around once in a while, you could miss it Ferris Buellers Day Off (1986) A different kind of newsroom. Slow news. Open journalism.

749 views • 19 slides
1 How many radians are subtended by a 0.10 m arc of a circle of radius 0.40 m? Slide 2 / 133 2

1 How many radians are subtended by a 0.10 m arc of a circle of radius 0.40 m? Slide 2 / 133 2

Slide 1 / 133 1 How many radians are subtended by a 0.10 m arc of a circle of radius 0.40 m? Slide 2 / 133 2 How many degrees are subtended by a 0.10 m arc of a circle of radius of 0.40 m? Slide 3 / 133 3 A ball rotates 2 rad in 4.0 s.

1.5k views • 133 slides

More recommend