protecting applications against tocttou races by user
play

Protecting Applications Against TOCTTOU Races by User-Space Caching - PowerPoint PPT Presentation

Feb 16, 2024 •485 likes •828 views

DynaRace Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias Payer & Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland TOCTTOU races Time Of Check To Time of Use (TOCTTOU)

  1. DynaRace Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias Payer & Thomas R. Gross Department of Computer Science ETH Zürich, Switzerland

  2. TOCTTOU races Time Of Check To Time of Use (TOCTTOU) races for file accesses endanger integrity of applications ● The mapping between filename and inode is volatile ● Attacker uses delay between “ test ” and “ use ” system calls SUID program Attacker access ("file"); unlink ("file"); Race opportunity ... link ("sensitive", "file"); fd = open ("file"); read(fd, ...); 2012-03-04 Mathias Payer, ETH Zürich 2

  3. Motivation: Protect applications Protect unmodified applications from TOCTTOU races Cache metadata for accessed files ● Check and verify metadata on all file accesses ● User-space implementation Metadata cache links filenames and inodes ● Stop potential file-based race attacks Close the door to one popular attack vector 2012-03-04 Mathias Payer, ETH Zürich 3

  4. Outline Motivation DynaRace key idea ● File states capture permissions ● File resolution ensures safety Implementation Evaluation Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 4

  5. DynaRace key idea Keep state and metadata for all files Application (plus libraries) System Calls Kernel 2012-03-04 Mathias Payer, ETH Zürich 5

  6. DynaRace key idea Keep state and metadata for all files ● Update metadata for new files ● Enforce metadata equality for known files Application (plus libraries) File-based system calls Other DynaRace: system calls metadata cache Kernel 2012-03-04 Mathias Payer, ETH Zürich 6

  7. DynaRace file states DynaRace keeps state for each accessed file new update retire enforce 2012-03-04 Mathias Payer, ETH Zürich 7

  8. DynaRace file states State transitions according to system calls groups ● Test : check a property, e.g., access , or stat ● Use : work with files, e.g., open , or chmod ● Close : retire files, e.g., close , or unlink test new update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 8

  9. DynaRace file states: Example SUID program access ("file"); ... Metadata file cache: fd = open ("file"); file in /tmp [ update ] read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 9

  10. DynaRace file states: Example SUID program access ("file"); ... Metadata file cache: fd = open ("file"); file in /tmp [ enforce ] read(fd, ...); close (fd); test new update test use use test use & test close retire enforce enforce use 2012-03-04 Mathias Payer, ETH Zürich 10

  11. DynaRace file states: Example SUID program access ("file"); ... Metadata file cache: fd = open ("file"); file in /tmp [ retire ] read(fd, ...); close (fd); test new update test use use test use & test close retire retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 11

  12. DynaRace file states: Example 2 SUID program access ("file"); Metadata file cache: Metadata file cache: ... empty file in /tmp [ update ] fd = open ("file"); read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 12

  13. DynaRace file states: Example 2 SUID program access ("file"); Metadata file cache: Metadata file cache: Race ... empty file in /tmp [ update ] fd = open ("file"); read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 13

  14. DynaRace file states: Example 2 SUID program access ("file"); Metadata file cache: Metadata file cache: Metadata file cache: Race ... empty file in /tmp [ enforce ] file in /tmp [ update ] fd = open ("file"); read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce enforce enforce use 2012-03-04 Mathias Payer, ETH Zürich 14

  15. DynaRace file resolution Resolve files in race-free manner* ● Resolve the path atom by atom Resolving /tmp/.X0-lock ● Check if the atom is in the cache / Enforce metadata according to state – tmp/ in / ● Update atom's metadata .X0-lock in /tmp/ ● Use recursion to follow links * Files are resolved similar to the check_use mechanism by Tsafrir et al. [FAST'08, IBM TR RC24572] 2012-03-04 Mathias Payer, ETH Zürich 15

  16. Outline Motivation The DynaRace approach Implementation Evaluation Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 16

  17. DynaRace prototype implementation Prototype implementation uses user-space virtualization ● Additional virtualization layer between application and OS Libdetox* rewrites executed application code ● File-based system calls replaced with DynaRace functions ● Metadata and state cache in VM layer ● Linux x86 implementation * Libdetox implements software-based fault isolation using dynamic BT by Payer et al. [VEE'11] 2012-03-04 Mathias Payer, ETH Zürich 17

  18. DynaRace prototype implementation Libdetox ● Total loc: 15'130 – Translation tables loc: 4'907 ● Comments: 5'015 DynaRace (for subset of system calls) ● Total loc: 441 ● Comments: 372 ● Changes to libdetox per redirected system call: 2 loc 2012-03-04 Mathias Payer, ETH Zürich 18

  19. Outline Motivation The DynaRace approach Implementation Evaluation ● Apache performance ● X.org bug study Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 19

  20. Apache performance Apache 2.2 on Ubuntu 10.04 LTS using ab benchmark ● Core i7 950 CPU @ 3.07GHz, in 32bit x86 mode ● ab executes with two concurrent connections ● Each file is downloaded 100,000 times index.html 5kB HTML – image.png 1MB raw data – test.php short PHP script (90B output) – test2.php long PHP script (49kB output) – 2012-03-04 Mathias Payer, ETH Zürich 20

  21. Apache performance 3 different configurations: ● Native: native, unmodified execution of Apache ● Libdetox: Apache running in Libdetox sandbox ● DynaRace: Libdetox + DynaRace protection 2012-03-04 Mathias Payer, ETH Zürich 21

  22. Apache performance 140% 120% Relative performance 100% 80% native 60% libdetox DynaRace 40% 20% 0% index.html image.png test.php test2.php Benchmark Overhead of DynaRace comparable to libdetox Speedup due to better code layout Overall performance penalty is tolerable 2012-03-04 Mathias Payer, ETH Zürich 22

  23. X.org security exploit X.org protected with DynaRace ... P1 lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock P1 metadata file cache: .X0-lock in /tmp [ enforce ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 23

  24. X.org security exploit X.org protected with DynaRace ... P2 lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... P1 zzz write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock P1 metadata file cache: P2 metadata file cache: .X0-lock in /tmp [ enforce ] .X0-lock in /tmp [ enforce ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 24

  25. X.org security exploit X.org protected with DynaRace ... lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); P x } ... P1 zzz write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock File removed by P2 P1 metadata file cache: P2 metadata file cache: .X0-lock in /tmp [ enforce ] .X0-lock in /tmp [ retire ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 25

  26. X.org security exploit X.org protected with DynaRace ... lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... P1 zzz write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... Attacker links /tmp/.X0-lock to a sensitive file (e.g., /etc/shadow ) P1 metadata file cache: .X0-lock in /tmp [ enforce ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 26

  27. X.org security exploit X.org protected with DynaRace ... lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... write(lfd, pid_str, 11); /* unchecked relaxation */ P1 chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock links to /etc/shadow Metadata mismatch for .X0-lock P1 metadata file cache: P1 is terminated with race exception .X0-lock in /tmp [ enforce ] Attacker is not successful * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 27

  28. Outline Motivation The DynaRace approach Implementation Evaluation Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

C ONTEXT - SENSITIVE C ORRELATION A NALYSIS FOR D ETECTING R ACES Polyvios Pratikakis Jeff Foster Michael Hicks University of Maryland, College Park Context-sensitive Correlation Analysis for Detecting Races p.1/ ?? Data Races are Bad

1.28k views • 76 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user, double-clickable/command-line Create a JPanel with the guts of the GUI/logic No restrictions on access, reads files, URLS, What will be in the

256 views • 6 slides
ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in Full Scale Exercise 2012 and 2013 Monroe County ARES / RACES Inc. Tools used

1.05k views • 93 slides
Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan,

Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan,

Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan, Sawyer Birnbaum, Peh Chang Wei Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung T. Nguyen, Taresh K. Sethi, Vishal Subbiah,

718 views • 28 slides
1 The OS and User Applications The OS and User Applications Overview of OS Services Overview of

1 The OS and User Applications The OS and User Applications Overview of OS Services Overview of

Operating Systems: The Big Picture Operating Systems: The Big Picture The operating system (OS) is the interface between user applications and the hardware. CPS 210: Operating Systems CPS 210: Operating Systems User Applications virtual

274 views • 4 slides
Time Series Inference Applications of R in Finance and Econometrics R User Conference, useR!

Time Series Inference Applications of R in Finance and Econometrics R User Conference, useR!

Title ME bootstrap Kernel Regr EDA, GLS Conclusion Bibliography Time Series Inference Applications of R in Finance and Econometrics R User Conference, useR! 2010, National Inst. of Standards &amp; Technology, Gaithersburg, MD, July

2.52k views • 17 slides
SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias Athanasopoulos Georgios Portokalidis * , Angelos Keromytis Columbia University * Stevens Institute of Technology Authentication recognizes

441 views • 30 slides
Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin

Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin

Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin Potthast 1 Christian Forler 2 Eik List 1 Stefan Lucks 1 1 Bauhaus-Universitt Weimar &lt;firstname&gt;.&lt;lastname&gt;(at)uni-weimar.de 2 Beuth

1.24k views • 88 slides
Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS Summary New technique turning Background on races

530 views • 37 slides
Impact of N Natural User Interfa rfaces in Enterprise Applications Applications ns ns

Impact of N Natural User Interfa rfaces in Enterprise Applications Applications ns ns

Impact of N Natural User Interfa rfaces in Enterprise Applications Applications ns ns Balasubramanian Somasunda daram Disclaimer: The views expressed in this presentation are t the views of the individual only and not by the company

307 views • 10 slides
November 12, 2014 Presentation Overview Election trends: what happened? Senate races; key

November 12, 2014 Presentation Overview Election trends: what happened? Senate races; key

2014 Midterm Elections: Impact on Regional Development Organizations and Local Governments November 12, 2014 Presentation Overview Election trends: what happened? Senate races; key committees House races; key committees

869 views • 57 slides
Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most prevalent Apache, MySQL, and PHP/Python/Perl and is applications in business today. They are driven considered by many as the platform of choice by user

106 views • 9 slides
Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

6/2/20 HealthMatters in our Homes Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k and nd Wh Why 1 During this presentation, we will: Summarize what COVID-19 is, how it spreads, and who

463 views • 19 slides
IPC, Threads, Races, Critical Sections 7A. Threads 7B. Inter-Process Communication Operating

IPC, Threads, Races, Critical Sections 7A. Threads 7B. Inter-Process Communication Operating

4/18/2016 IPC, Threads, Races, Critical Sections 7A. Threads 7B. Inter-Process Communication Operating Systems Principles 7C. Critical Sections IPC, Threads, Races, Critical Sections 7D. Asynchronous Event Completions Mark Kampe

245 views • 8 slides
The Bunker Cache for Spatio-Value Approximation Joshua San Miguel Jorge Albericio Natalie

The Bunker Cache for Spatio-Value Approximation Joshua San Miguel Jorge Albericio Natalie

The Bunker Cache for Spatio-Value Approximation Joshua San Miguel Jorge Albericio Natalie Enright Jerger Aamer Jaleel Data Movement and Storage off-chip memory shared last-level cache private caches processor core 2 Data Movement and

2.45k views • 87 slides
Investor Update Q4 FY 2017-18 May 2018 Den Networks Ltd. Comparable financial figures are for

Investor Update Q4 FY 2017-18 May 2018 Den Networks Ltd. Comparable financial figures are for

Investor Update Q4 FY 2017-18 May 2018 Den Networks Ltd. Comparable financial figures are for continued businesses only Slide 1 Investor Update Q4 FY 2017-18 Disclaimer The information in the presentation may contain forward-looking

581 views • 24 slides
Presentation to 495/MW Partnership 9.26.2017 Who is Transportation for Massachusetts? T4MA

Presentation to 495/MW Partnership 9.26.2017 Who is Transportation for Massachusetts? T4MA

Presentation to 495/MW Partnership 9.26.2017 Who is Transportation for Massachusetts? T4MA is a statewide coalition of more than 70 member and partner organizations. We advocate for better, smarter transportation policies across the

1.02k views • 24 slides
Proposed Fiscal Year 2019 Operating Budget Board of Trustees Montgomery College December 11,

Proposed Fiscal Year 2019 Operating Budget Board of Trustees Montgomery College December 11,

Proposed Fiscal Year 2019 Operating Budget Board of Trustees Montgomery College December 11, 2017 Presentation Overview Commitment to Affordable, High Quality Postsecondary Education Montgomery College 2020 Strategic Plan and Budget

527 views • 25 slides
Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba

Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba

Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba Alachkar Supervisor: Yonne de Bruijn Fox-IT MSc System and Network Engineering University of Amsterdam February 6, 2018 Rick van Gorp, Kotaiba

412 views • 22 slides
OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU

OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU

CACHE DIRECTIVE OPTIMIZATION IN THE OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU ARCHITECTURE Threads Register Files Shared L1 Read-Only Memory Cache Data Cache L2 Cache Texture Constant GPU

806 views • 23 slides
A System- -on on- -a a- -Chip Lock Chip Lock A System Cache with Task Preemption Cache

A System- -on on- -a a- -Chip Lock Chip Lock A System Cache with Task Preemption Cache

A System- -on on- -a a- -Chip Lock Chip Lock A System Cache with Task Preemption Cache with Task Preemption Support Support By By Bilge S. Bilge S. Akgul Akgul, , Jaehwan Jaehwan Lee and Lee and Vincent J. Mooney Vincent J.

204 views • 19 slides
An Introduction to An Introduction to Geocaching Geocaching Chris Kracik Chris Kracik aka

An Introduction to An Introduction to Geocaching Geocaching Chris Kracik Chris Kracik aka

An Introduction to An Introduction to Geocaching Geocaching Chris Kracik Chris Kracik aka BBWolf+ 3Pigs aka BBWolf+ 3Pigs &amp; &amp; Calvin Taft Calvin Taft aka Nomad64 aka Nomad64 What is Geocaching? What is Geocaching?

481 views • 20 slides

More recommend