cse 543 safe file access
play

CSE 543: Safe File Access Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

Aug 09, 2023 •491 likes •765 views

CSE 543: Safe File Access Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  1. CSE 543: � Safe File Access Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Problem • Problem: Processes need resources from system ‣ Just a simple open(filepath, …) right? ‣ But, adversaries can redirect victims to resources of their choosing ‣ And if your program has some valuable privileges, an adversary may want to trick you into using them to implement a malicious operation Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. A Webserver’s Story … • Consider a university department webserver … GET /~student1/index.html HTTP/1.1 /etc/ Apache passwd Webserver Link faculty1/ student1/ student2/ public_html public_html public_html Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  4. Attack Video Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  5. What Just Happened? Serve Authenticate Webpage Not Webserver OK OK Serve Passwd Web Pages File Webpage Not OK OK Web Pages Password Authenticate Passwd Web Pages File File Program acts as a confused deputy • when expecting ‣ when expecting ‣ Systems and Internet Infrastructure Security Laboratory (SIIS) Systems and Internet Infrastructure Security Laboratory (SIIS) Page Page

  6. Lesson • Opening a file is fraught with danger ‣ We must be careful when using an input that may be adversary controlled when opening a file • Or other resources too ‣ USENIX Security 2018 paper on being redirected on UNIX Domain Sockets ‣ What inputs are used in opening a file that an adversary may control? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Lesson • Opening a file is fraught with danger ‣ We must be careful when using an input that may be adversary controlled when opening a file • Or other resources too ‣ USENIX Security 2018 paper on being redirected on UNIX Domain Sockets ‣ What inputs are used in opening a file that an adversary may control? • Inputs used to build file path names • Filesystem used to resolve file path names Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Vulnerability Classes Talk Outline Directory Traversal • Our focus is on a group of vulnerabilities that • Adversary controls the name to direct victim to an • Problem: Processes need resources from system happen when programs access resources adversary inaccessible (high integrity) resource ‣ Adversaries can redirect victims to resources chosen by adversary • Programs require a variety of resources to function ‣ Adversaries may control names, namespaces, and resources • Goal: Protect program during resource retrieval ‣ Regular files: store input and output ‣ Enforce rules to prevent retrieval of obviously exploitable resources ‣ Interprocess communication channels V: Apache ‣ Deduce adversary control automatically to guide enforcement ‣ Signals: notifications from OS 1.html A Webserver GET • Status: • How hard can fetching resources securely be? 1.html ‣ Enforce: Process Firewall kernel mechanism [EuroSys 2013] ‣ Just a simple open(filename) , right? passwd ‣ Deduce: Enforce relative to program control of “name flows” [submitted] ‣ Wrong! ‣ Background work: [ASIACCS 2012], [USENIX Security 2012], [SACMAT 2014] Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8 Wednesday, April 23, 14

  9. Vulnerability Classes Talk Outline Directory Traversal • Adversary controls the name to direct victim to an • Our focus is on a group of vulnerabilities that • Problem: Processes need resources from system happen when programs access resources adversary inaccessible (high integrity) resource ‣ Adversaries can redirect victims to resources chosen by adversary • Victim expects adversary accessible (low integrity) • Programs require a variety of resources to function ‣ Adversaries may control names, namespaces, and resources resource • Goal: Protect program during resource retrieval ‣ Regular files: store input and output ‣ Enforce rules to prevent retrieval of obviously exploitable resources GET ‣ Interprocess communication channels ../../ V: Apache etc/passwd ‣ Deduce adversary control automatically to guide enforcement ‣ Signals: notifications from OS 1.html A Webserver • Status: • How hard can fetching resources securely be? ‣ Enforce: Process Firewall kernel mechanism [EuroSys 2013] ‣ Just a simple open(filename) , right? Malicious passwd ‣ Deduce: Enforce relative to program control of “name flows” [submitted] Name ‣ Wrong! ‣ Background work: [ASIACCS 2012], [USENIX Security 2012], [SACMAT 2014] Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Wednesday, April 23, 14

  10. Name Resolution • Processes often use names to obtain access to system resources • A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory ) to convert a name (e.g., filename ) into a system resource (e.g., file ) Namespace (filesystem) ‣ Filesystem, System V IPC, … open(“/var/ root root / / var var mail mail P mail/root”) Name Resource (filename) Bindings (directories) (file) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. Link Traversal Attack • Adversary controls links to direct a victim to a resource not normally accessible to the adversary • Victim expects adversary-accessible resource, gets a protected resource instead ‣ May take advantage of race conditions (TOCTTOU attacks) open(“/var/ root root root / / var var var mail mail mail V root mail/root”) passwd passwd etc A mail Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  12. TOCTTOU Attacks • Time-of-check-to-time-of-use Attack • Check System Call ‣ Does the requesting party have access to the file? (stat, access) ‣ Is the file accessed via a symbolic link? (lstat) • Use System Call ‣ Convert the file name to a file descriptor (open) ‣ Modify the file metadata (chown, chmod) • Change filesystem between check and use to evade access control Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  13. File Squatting Attack • Adversary controls final resource enabling the adversary to control input that the victim may depend on • Victim expects protected resource, gets an adversary-controlled resource instead owner root owner mail open(“/var/ root root root / / var var var mail mail mail V root mail/root”) A mail Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. Prevalence Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  15. Name Resolution Problem • An adversary may be authorized to write to a directory you use in resolving a file path ‣ Create (and delete) files in that directory • E.g., groups and others may have write permission to a directory ‣ /tmp ‣ ls ‒ la /tmp • drwxrwxrwx --- root root --- . • Means? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

  16. Link traversal • Suppose your program is asked to open the file path “/tmp/just_a_normal_file_here” ‣ What file will you open? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 20

  17. Link traversal • Suppose your program is asked to open the file path “/tmp/just_a_normal_file_here” ‣ What file will you open? • An adversary could have created this as a symbolic link to any file in the system (no restrictions on targets of symbolic links) • And it is difficult/expensive to verify the link target ‣ lstat ‒ provides file system information (like “stat”) for the file referenced by a link if the path name refers to a link ‣ TOCTTOU RACES: But, adversary could place a file at the time of the lstat check and replace with a link before the open ‣ Causes your program to access an adversary-chosen file Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21

  18. Defense for Link Traversal • Check for symbolic link (lstat) • Check for lstat-open race • Check for inode recycling • Do checks for each path component ( safe_open ) ‣ /, var, mail, … • Challenge: Can be expensive Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22

  19. Safe Open - Ine ffi cient • Checking retrieved resources is expensive ‣ Single open() requires 4 * path length additional syscalls ‣ Programmers omit checks to improve performance • Example: Apache documentation recommended switching off resource access checks Systems and Internet Infrastructure Security Laboratory (SIIS) Page 23

  20. File Squatting • Suppose your program wants to create a new file at “/tmp/my_pristine_new_file” ‣ What file will you open? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 24

Recommend

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
Distributed-File Systems Background Naming and Transparency Remote File Access

Distributed-File Systems Background Naming and Transparency Remote File Access

Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Typeset by Foil T EX 1 Background Distributed file system (DFS)

1.1k views • 73 slides
Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access Disk access Block-level interface File-level interface File Management in VanillaCore BlockID Page FileMgr 2 Outline

891 views • 50 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris

BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris

BurnBox Self-Revocable Encryption in a World of Compelled Access Nirvan Tyagi Muhammad Haris Thomas Ristenpart Ian Miers Mughees Usenix Security 2018 1 Compelled Access Setting file 1 file 2 file 3 2 Compelled Access Setting file 1

787 views • 52 slides
WFP SAFE Programme Safe Access To Fuel and Energy Daphne Carliez WFPs involvement in SAFE

WFP SAFE Programme Safe Access To Fuel and Energy Daphne Carliez WFPs involvement in SAFE

WFP SAFE Programme Safe Access To Fuel and Energy Daphne Carliez WFPs involvement in SAFE Addressing the serious challenges linked with access Fuel-efficient stoves to cooking fuel for the most vulnerable people in Fuel for Alternative

93 views • 8 slides
Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file

Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file

Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file Everything in Windows is an object Why not files? Not all OS abstractions make sense as a file Examples: Eject button on an optical drive

908 views • 22 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek File systems should not lose data People use file systems to

1.17k views • 98 slides
FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone,

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone,

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer Science Rutgers University Workshop on Spontaneous Networking May 12, 2006

525 views • 49 slides
PANACHE: A PARALLEL FILE SYSTEM CACHE FOR GLOBAL FILE ACCESS

PANACHE: A PARALLEL FILE SYSTEM CACHE FOR GLOBAL FILE ACCESS

PANACHE: A PARALLEL FILE SYSTEM CACHE FOR GLOBAL FILE ACCESS Agenda Why Panache An Overview Components of Panache pNFS Architecture

169 views • 15 slides
WFPs SAFE Programme Safe Access To Fuel and Energy Daphn Carliez WFPs SAFE focus: Saving

WFPs SAFE Programme Safe Access To Fuel and Energy Daphn Carliez WFPs SAFE focus: Saving

WFPs SAFE Programme Safe Access To Fuel and Energy Daphn Carliez WFPs SAFE focus: Saving lives to ensure food can be cooked to meet nutritional needs in emergencies Reducing protection and health risks for women and children cooking

74 views • 6 slides
Distributed File Systems Accessing files FTP, telnet Explicit access User-directed

Distributed File Systems Accessing files FTP, telnet Explicit access User-directed

Distributed File Systems Accessing files FTP, telnet Explicit access User-directed connection to access remote resources We want more transparency Allow user to access remote resources just as local ones Focus on file system for

1k views • 66 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Module 17: Distributed-File Systems Background Naming and Transparency Remote File

Module 17: Distributed-File Systems Background Naming and Transparency Remote File

Module 17: Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Silberschatz, Galvin, and Gagne 1999 Applied Operating System

726 views • 58 slides
Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File

Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File

Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Operating System Concepts Silberschatz, Galvin and Gagne 2002

168 views • 12 slides
Module 17: Distributed-File Systems Background Naming and Transparency Remote File

Module 17: Distributed-File Systems Background Naming and Transparency Remote File

Module 17: Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Silberschatz, Galvin, and Gagne 1999 Applied Operating System

1.3k views • 29 slides
What if... There is no file with the name given to the File constructor: new File

What if... There is no file with the name given to the File constructor: new File

What if... There is no file with the name given to the File constructor: new File (IDontExist.txt); Throws FileNotFoundException 1 Handling Exceptions Call that throws the exception try { File f = new File (file.txt);

804 views • 8 slides
Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File

Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File

Chapter 16 Distributed-File Systems Background Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication Example Systems Operating System Concepts 16.1 Silberschatz, Galvin and Gagne

277 views • 24 slides
Distributed File Systems Security: Anonymous access all files available to all users 14B.

Distributed File Systems Security: Anonymous access all files available to all users 14B.

5/30/2018 Distributed File Systems Security: Anonymous access all files available to all users 14B. Remote Data Access: Security no authentication required may be limited to read-only access 14C. Remote Data: Robustness examples:

391 views • 9 slides
Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in File S Systems t User Access Control The operating system is fully trusted to enforce the security policy. Is it good enough? Is it

888 views • 44 slides

More recommend