cse 543 safe file access
play

CSE 543: Safe File Access Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

CSE 543: Safe File Access Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1


  1. CSE 543: � Safe File Access Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Problem • Problem: Processes need resources from system ‣ Just a simple open(filepath, …) right? ‣ But, adversaries can redirect victims to resources of their choosing ‣ And if your program has some valuable privileges, an adversary may want to trick you into using them to implement a malicious operation Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. A Webserver’s Story … • Consider a university department webserver … GET /~student1/index.html HTTP/1.1 /etc/ Apache passwd Webserver Link faculty1/ student1/ student2/ public_html public_html public_html Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  4. Attack Video Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  5. What Just Happened? Serve Authenticate Webpage Not Webserver OK OK Serve Passwd Web Pages File Webpage Not OK OK Web Pages Password Authenticate Passwd Web Pages File File Program acts as a confused deputy • when expecting ‣ when expecting ‣ Systems and Internet Infrastructure Security Laboratory (SIIS) Systems and Internet Infrastructure Security Laboratory (SIIS) Page Page

  6. Lesson • Opening a file is fraught with danger ‣ We must be careful when using an input that may be adversary controlled when opening a file • Or other resources too ‣ USENIX Security 2018 paper on being redirected on UNIX Domain Sockets ‣ What inputs are used in opening a file that an adversary may control? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Lesson • Opening a file is fraught with danger ‣ We must be careful when using an input that may be adversary controlled when opening a file • Or other resources too ‣ USENIX Security 2018 paper on being redirected on UNIX Domain Sockets ‣ What inputs are used in opening a file that an adversary may control? • Inputs used to build file path names • Filesystem used to resolve file path names Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Vulnerability Classes Talk Outline Directory Traversal • Our focus is on a group of vulnerabilities that • Adversary controls the name to direct victim to an • Problem: Processes need resources from system happen when programs access resources adversary inaccessible (high integrity) resource ‣ Adversaries can redirect victims to resources chosen by adversary • Programs require a variety of resources to function ‣ Adversaries may control names, namespaces, and resources • Goal: Protect program during resource retrieval ‣ Regular files: store input and output ‣ Enforce rules to prevent retrieval of obviously exploitable resources ‣ Interprocess communication channels V: Apache ‣ Deduce adversary control automatically to guide enforcement ‣ Signals: notifications from OS 1.html A Webserver GET • Status: • How hard can fetching resources securely be? 1.html ‣ Enforce: Process Firewall kernel mechanism [EuroSys 2013] ‣ Just a simple open(filename) , right? passwd ‣ Deduce: Enforce relative to program control of “name flows” [submitted] ‣ Wrong! ‣ Background work: [ASIACCS 2012], [USENIX Security 2012], [SACMAT 2014] Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8 Wednesday, April 23, 14

  9. Vulnerability Classes Talk Outline Directory Traversal • Adversary controls the name to direct victim to an • Our focus is on a group of vulnerabilities that • Problem: Processes need resources from system happen when programs access resources adversary inaccessible (high integrity) resource ‣ Adversaries can redirect victims to resources chosen by adversary • Victim expects adversary accessible (low integrity) • Programs require a variety of resources to function ‣ Adversaries may control names, namespaces, and resources resource • Goal: Protect program during resource retrieval ‣ Regular files: store input and output ‣ Enforce rules to prevent retrieval of obviously exploitable resources GET ‣ Interprocess communication channels ../../ V: Apache etc/passwd ‣ Deduce adversary control automatically to guide enforcement ‣ Signals: notifications from OS 1.html A Webserver • Status: • How hard can fetching resources securely be? ‣ Enforce: Process Firewall kernel mechanism [EuroSys 2013] ‣ Just a simple open(filename) , right? Malicious passwd ‣ Deduce: Enforce relative to program control of “name flows” [submitted] Name ‣ Wrong! ‣ Background work: [ASIACCS 2012], [USENIX Security 2012], [SACMAT 2014] Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Wednesday, April 23, 14

  10. Name Resolution • Processes often use names to obtain access to system resources • A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory ) to convert a name (e.g., filename ) into a system resource (e.g., file ) Namespace (filesystem) ‣ Filesystem, System V IPC, … open(“/var/ root root / / var var mail mail P mail/root”) Name Resource (filename) Bindings (directories) (file) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  11. Link Traversal Attack • Adversary controls links to direct a victim to a resource not normally accessible to the adversary • Victim expects adversary-accessible resource, gets a protected resource instead ‣ May take advantage of race conditions (TOCTTOU attacks) open(“/var/ root root root / / var var var mail mail mail V root mail/root”) passwd passwd etc A mail Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  12. TOCTTOU Attacks • Time-of-check-to-time-of-use Attack • Check System Call ‣ Does the requesting party have access to the file? (stat, access) ‣ Is the file accessed via a symbolic link? (lstat) • Use System Call ‣ Convert the file name to a file descriptor (open) ‣ Modify the file metadata (chown, chmod) • Change filesystem between check and use to evade access control Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  13. File Squatting Attack • Adversary controls final resource enabling the adversary to control input that the victim may depend on • Victim expects protected resource, gets an adversary-controlled resource instead owner root owner mail open(“/var/ root root root / / var var var mail mail mail V root mail/root”) A mail Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. Prevalence Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  15. Name Resolution Problem • An adversary may be authorized to write to a directory you use in resolving a file path ‣ Create (and delete) files in that directory • E.g., groups and others may have write permission to a directory ‣ /tmp ‣ ls ‒ la /tmp • drwxrwxrwx --- root root --- . • Means? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

  16. Link traversal • Suppose your program is asked to open the file path “/tmp/just_a_normal_file_here” ‣ What file will you open? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 20

  17. Link traversal • Suppose your program is asked to open the file path “/tmp/just_a_normal_file_here” ‣ What file will you open? • An adversary could have created this as a symbolic link to any file in the system (no restrictions on targets of symbolic links) • And it is difficult/expensive to verify the link target ‣ lstat ‒ provides file system information (like “stat”) for the file referenced by a link if the path name refers to a link ‣ TOCTTOU RACES: But, adversary could place a file at the time of the lstat check and replace with a link before the open ‣ Causes your program to access an adversary-chosen file Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21

  18. Defense for Link Traversal • Check for symbolic link (lstat) • Check for lstat-open race • Check for inode recycling • Do checks for each path component ( safe_open ) ‣ /, var, mail, … • Challenge: Can be expensive Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22

  19. Safe Open - Ine ffi cient • Checking retrieved resources is expensive ‣ Single open() requires 4 * path length additional syscalls ‣ Programmers omit checks to improve performance • Example: Apache documentation recommended switching off resource access checks Systems and Internet Infrastructure Security Laboratory (SIIS) Page 23

  20. File Squatting • Suppose your program wants to create a new file at “/tmp/my_pristine_new_file” ‣ What file will you open? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 24

Recommend


More recommend