protecting applications against tocttou races by user
play

Protecting Applications Against TOCTTOU Races by User-Space Caching - PowerPoint PPT Presentation

Feb 16, 2024 •485 likes •828 views

DynaRace Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias Payer & Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland TOCTTOU races Time Of Check To Time of Use (TOCTTOU)

  1. DynaRace Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias Payer & Thomas R. Gross Department of Computer Science ETH Zürich, Switzerland

  2. TOCTTOU races Time Of Check To Time of Use (TOCTTOU) races for file accesses endanger integrity of applications ● The mapping between filename and inode is volatile ● Attacker uses delay between “ test ” and “ use ” system calls SUID program Attacker access ("file"); unlink ("file"); Race opportunity ... link ("sensitive", "file"); fd = open ("file"); read(fd, ...); 2012-03-04 Mathias Payer, ETH Zürich 2

  3. Motivation: Protect applications Protect unmodified applications from TOCTTOU races Cache metadata for accessed files ● Check and verify metadata on all file accesses ● User-space implementation Metadata cache links filenames and inodes ● Stop potential file-based race attacks Close the door to one popular attack vector 2012-03-04 Mathias Payer, ETH Zürich 3

  4. Outline Motivation DynaRace key idea ● File states capture permissions ● File resolution ensures safety Implementation Evaluation Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 4

  5. DynaRace key idea Keep state and metadata for all files Application (plus libraries) System Calls Kernel 2012-03-04 Mathias Payer, ETH Zürich 5

  6. DynaRace key idea Keep state and metadata for all files ● Update metadata for new files ● Enforce metadata equality for known files Application (plus libraries) File-based system calls Other DynaRace: system calls metadata cache Kernel 2012-03-04 Mathias Payer, ETH Zürich 6

  7. DynaRace file states DynaRace keeps state for each accessed file new update retire enforce 2012-03-04 Mathias Payer, ETH Zürich 7

  8. DynaRace file states State transitions according to system calls groups ● Test : check a property, e.g., access , or stat ● Use : work with files, e.g., open , or chmod ● Close : retire files, e.g., close , or unlink test new update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 8

  9. DynaRace file states: Example SUID program access ("file"); ... Metadata file cache: fd = open ("file"); file in /tmp [ update ] read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 9

  10. DynaRace file states: Example SUID program access ("file"); ... Metadata file cache: fd = open ("file"); file in /tmp [ enforce ] read(fd, ...); close (fd); test new update test use use test use & test close retire enforce enforce use 2012-03-04 Mathias Payer, ETH Zürich 10

  11. DynaRace file states: Example SUID program access ("file"); ... Metadata file cache: fd = open ("file"); file in /tmp [ retire ] read(fd, ...); close (fd); test new update test use use test use & test close retire retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 11

  12. DynaRace file states: Example 2 SUID program access ("file"); Metadata file cache: Metadata file cache: ... empty file in /tmp [ update ] fd = open ("file"); read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 12

  13. DynaRace file states: Example 2 SUID program access ("file"); Metadata file cache: Metadata file cache: Race ... empty file in /tmp [ update ] fd = open ("file"); read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce use 2012-03-04 Mathias Payer, ETH Zürich 13

  14. DynaRace file states: Example 2 SUID program access ("file"); Metadata file cache: Metadata file cache: Metadata file cache: Race ... empty file in /tmp [ enforce ] file in /tmp [ update ] fd = open ("file"); read(fd, ...); close (fd); test new update update test use use test use & test close retire enforce enforce enforce use 2012-03-04 Mathias Payer, ETH Zürich 14

  15. DynaRace file resolution Resolve files in race-free manner* ● Resolve the path atom by atom Resolving /tmp/.X0-lock ● Check if the atom is in the cache / Enforce metadata according to state – tmp/ in / ● Update atom's metadata .X0-lock in /tmp/ ● Use recursion to follow links * Files are resolved similar to the check_use mechanism by Tsafrir et al. [FAST'08, IBM TR RC24572] 2012-03-04 Mathias Payer, ETH Zürich 15

  16. Outline Motivation The DynaRace approach Implementation Evaluation Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 16

  17. DynaRace prototype implementation Prototype implementation uses user-space virtualization ● Additional virtualization layer between application and OS Libdetox* rewrites executed application code ● File-based system calls replaced with DynaRace functions ● Metadata and state cache in VM layer ● Linux x86 implementation * Libdetox implements software-based fault isolation using dynamic BT by Payer et al. [VEE'11] 2012-03-04 Mathias Payer, ETH Zürich 17

  18. DynaRace prototype implementation Libdetox ● Total loc: 15'130 – Translation tables loc: 4'907 ● Comments: 5'015 DynaRace (for subset of system calls) ● Total loc: 441 ● Comments: 372 ● Changes to libdetox per redirected system call: 2 loc 2012-03-04 Mathias Payer, ETH Zürich 18

  19. Outline Motivation The DynaRace approach Implementation Evaluation ● Apache performance ● X.org bug study Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 19

  20. Apache performance Apache 2.2 on Ubuntu 10.04 LTS using ab benchmark ● Core i7 950 CPU @ 3.07GHz, in 32bit x86 mode ● ab executes with two concurrent connections ● Each file is downloaded 100,000 times index.html 5kB HTML – image.png 1MB raw data – test.php short PHP script (90B output) – test2.php long PHP script (49kB output) – 2012-03-04 Mathias Payer, ETH Zürich 20

  21. Apache performance 3 different configurations: ● Native: native, unmodified execution of Apache ● Libdetox: Apache running in Libdetox sandbox ● DynaRace: Libdetox + DynaRace protection 2012-03-04 Mathias Payer, ETH Zürich 21

  22. Apache performance 140% 120% Relative performance 100% 80% native 60% libdetox DynaRace 40% 20% 0% index.html image.png test.php test2.php Benchmark Overhead of DynaRace comparable to libdetox Speedup due to better code layout Overall performance penalty is tolerable 2012-03-04 Mathias Payer, ETH Zürich 22

  23. X.org security exploit X.org protected with DynaRace ... P1 lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock P1 metadata file cache: .X0-lock in /tmp [ enforce ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 23

  24. X.org security exploit X.org protected with DynaRace ... P2 lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... P1 zzz write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock P1 metadata file cache: P2 metadata file cache: .X0-lock in /tmp [ enforce ] .X0-lock in /tmp [ enforce ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 24

  25. X.org security exploit X.org protected with DynaRace ... lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); P x } ... P1 zzz write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock File removed by P2 P1 metadata file cache: P2 metadata file cache: .X0-lock in /tmp [ enforce ] .X0-lock in /tmp [ retire ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 25

  26. X.org security exploit X.org protected with DynaRace ... lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... P1 zzz write(lfd, pid_str, 11); /* unchecked relaxation */ chmod (tmp, 0444); ... Attacker links /tmp/.X0-lock to a sensitive file (e.g., /etc/shadow ) P1 metadata file cache: .X0-lock in /tmp [ enforce ] * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 26

  27. X.org security exploit X.org protected with DynaRace ... lfd = open(tmp, O_CREAT|O_EXCL|O_WRONLY, 0644); ... if(lfd < 0) { unlink(tmp); } ... write(lfd, pid_str, 11); /* unchecked relaxation */ P1 chmod (tmp, 0444); ... tmp lock file: /tmp/.X0-lock links to /etc/shadow Metadata mismatch for .X0-lock P1 metadata file cache: P1 is terminated with race exception .X0-lock in /tmp [ enforce ] Attacker is not successful * in os/utils.c [CVE-2011-4029] 2012-03-04 Mathias Payer, ETH Zürich 27

  28. Outline Motivation The DynaRace approach Implementation Evaluation Related work Conclusion 2012-03-04 Mathias Payer, ETH Zürich 28

Recommend

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

C ONTEXT - SENSITIVE C ORRELATION A NALYSIS FOR D ETECTING R ACES Polyvios Pratikakis Jeff Foster Michael Hicks University of Maryland, College Park Context-sensitive Correlation Analysis for Detecting Races p.1/ ?? Data Races are Bad

1.28k views • 76 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user, double-clickable/command-line Create a JPanel with the guts of the GUI/logic No restrictions on access, reads files, URLS, What will be in the

256 views • 6 slides
ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in

ARES /RACES Par+cipa+on with Homeland Security Agencies in Full Scale Exercise 2012 and 2013 Monroe County ARES / RACES Inc. Tools used

1.05k views • 93 slides
Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan,

Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan,

Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan, Sawyer Birnbaum, Peh Chang Wei Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung T. Nguyen, Taresh K. Sethi, Vishal Subbiah,

718 views • 28 slides
1 The OS and User Applications The OS and User Applications Overview of OS Services Overview of

1 The OS and User Applications The OS and User Applications Overview of OS Services Overview of

Operating Systems: The Big Picture Operating Systems: The Big Picture The operating system (OS) is the interface between user applications and the hardware. CPS 210: Operating Systems CPS 210: Operating Systems User Applications virtual

274 views • 4 slides
Time Series Inference Applications of R in Finance and Econometrics R User Conference, useR!

Time Series Inference Applications of R in Finance and Econometrics R User Conference, useR!

Title ME bootstrap Kernel Regr EDA, GLS Conclusion Bibliography Time Series Inference Applications of R in Finance and Econometrics R User Conference, useR! 2010, National Inst. of Standards &amp; Technology, Gaithersburg, MD, July

2.52k views • 17 slides
SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias Athanasopoulos Georgios Portokalidis * , Angelos Keromytis Columbia University * Stevens Institute of Technology Authentication recognizes

441 views • 30 slides
Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin

Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin

Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin Potthast 1 Christian Forler 2 Eik List 1 Stefan Lucks 1 1 Bauhaus-Universitt Weimar &lt;firstname&gt;.&lt;lastname&gt;(at)uni-weimar.de 2 Beuth

1.24k views • 88 slides
Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo

Exploiting Kernel Races Through Taming Thread Interleaving Yoochan Lee, Byoungyoung Lee, Chanwoo Min Seoul National University, Virginia Tech #BHUSA @BLACKHATEVENTS Summary New technique turning Background on races

530 views • 37 slides
Impact of N Natural User Interfa rfaces in Enterprise Applications Applications ns ns

Impact of N Natural User Interfa rfaces in Enterprise Applications Applications ns ns

Impact of N Natural User Interfa rfaces in Enterprise Applications Applications ns ns Balasubramanian Somasunda daram Disclaimer: The views expressed in this presentation are t the views of the individual only and not by the company

307 views • 10 slides
November 12, 2014 Presentation Overview Election trends: what happened? Senate races; key

November 12, 2014 Presentation Overview Election trends: what happened? Senate races; key

2014 Midterm Elections: Impact on Regional Development Organizations and Local Governments November 12, 2014 Presentation Overview Election trends: what happened? Senate races; key committees House races; key committees

869 views • 57 slides
Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian

Hails: Protecting Data Privacy in Untrusted Web Applications Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, John Mitchell, David Mazires, and Alejandro Russo Web platforms are great ! They allow third-party developers to build apps

714 views • 54 slides
OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most prevalent Apache, MySQL, and PHP/Python/Perl and is applications in business today. They are driven considered by many as the platform of choice by user

106 views • 9 slides
Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

6/2/20 HealthMatters in our Homes Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k and nd Wh Why 1 During this presentation, we will: Summarize what COVID-19 is, how it spreads, and who

463 views • 19 slides
IPC, Threads, Races, Critical Sections 7A. Threads 7B. Inter-Process Communication Operating

IPC, Threads, Races, Critical Sections 7A. Threads 7B. Inter-Process Communication Operating

4/18/2016 IPC, Threads, Races, Critical Sections 7A. Threads 7B. Inter-Process Communication Operating Systems Principles 7C. Critical Sections IPC, Threads, Races, Critical Sections 7D. Asynchronous Event Completions Mark Kampe

245 views • 8 slides
IN INTERNATION IONAL MIX MIXED T TEAM R M RELAY Race format 2 rounds of 4 races 2 teams per

IN INTERNATION IONAL MIX MIXED T TEAM R M RELAY Race format 2 rounds of 4 races 2 teams per

IN INTERNATION IONAL MIX MIXED T TEAM R M RELAY Race format 2 rounds of 4 races 2 teams per race Race distance = 9 x 250m Winner = fastest accumulated time for the two races Teams 8 Teams 9 crews per team 3 JM1x, 3 JW1x, 1 or 2

379 views • 12 slides
Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium

Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium

Chebyshev, pretty pictures, and Dirichlet The prime number theorem Back to primes in arithmetic progressions Prime number races Greg Martin University of British Columbia Dartmouth Mathematics Colloquium May 6, 2010 Prime number races Greg

1.11k views • 83 slides
Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho Abstract The industry practice for test automation through graphical user interface (GUI) is script-based. In some tools the scripts can be recorded from

193 views • 8 slides
Tracking Protection in Firefox For Privacy and Performance Protecting user privacy from online

Tracking Protection in Firefox For Privacy and Performance Protecting user privacy from online

Tracking Protection in Firefox For Privacy and Performance Protecting user privacy from online tracking 2 kontaxis@cs.columbia.edu Tracking protection for Firefox 3 kontaxis@cs.columbia.edu User visits

379 views • 18 slides
Virtual Ghost: Protecting Applications from Hostile Operating Systems John Criswell, Nathan

Virtual Ghost: Protecting Applications from Hostile Operating Systems John Criswell, Nathan

Virtual Ghost: Protecting Applications from Hostile Operating Systems John Criswell, Nathan Dautenhahn, and Vikram Adve 1 New Job New Job Do You Trust Your Operating System? 3 Online Shopping! Do You Trust Your Operating System? 3 F i

562 views • 43 slides
Applications with Execution Filters Jingyue Wu, Heming Cui, Junfeng Yang Columbia University 1

Applications with Execution Filters Jingyue Wu, Heming Cui, Junfeng Yang Columbia University 1

LOOM: Bypassing Races in Live Applications with Execution Filters Jingyue Wu, Heming Cui, Junfeng Yang Columbia University 1 Mozilla Bug #133773 void js_DestroyContext( A buggy interleaving JSContext *cx) { JS_LOCK_GC(cx-&gt;runtime); Last

373 views • 21 slides
Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So Hospitals will be paid less unless: Good scores on Incentive payments Meeting 17 clinical processes Funded by 1% cut in base (aspirin,

418 views • 8 slides
Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its

Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its

Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its mark on every continent, with its highest prevalence being in sub Saharan Africa 10% of the worlds population An Assessment of In 2008,

353 views • 6 slides

More recommend