Protecting applications against TOCTTOU races by user-space caching of file metadata

VEE'12 - Proceedings of the ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Volumn , Issue , 2012, Pages 215-226

  Payer, Mathias ^a   Gross, Thomas R ^a  

^a ETH ZURICH   (Switzerland)

Author keywords

dynamic protection; file based TOCTTOU race protection; race protection; security; TOCTTOU races; virtualization

Indexed keywords

FILE-BASED TOCTTOU RACE PROTECTION; RACE PROTECTION; SECURITY; TOCTTOU RACES; VIRTUALIZATIONS;

HAZARDS AND RACE CONDITIONS; INTRUSION DETECTION; MAPPING; SPACE APPLICATIONS;

METADATA;

EID: 84858773365     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2151024.2151052     Document Type: Conference Paper

References (37)

1. New system calls. https://lwn.net/Articles/164887/.
2. openat syscall. http://linux.die.net/man/2/openat.
3. AGGARWAL, A., AND JALOTE, P. Monitoring the security health of software systems. In ISSRE'06: 17th Int'l Symp. Software Reliability Engineering (nov. 2006), pp. 146-158.
4. BISHOP, M. Checking for race conditions in file accesses. Tech. rep., University of California at Davis, 1995.
5. BISHOP, M., AND DILGER, M. Checking for race conditions in file accesses. Journal for Computing Systems (1996), 131-152.
6. BORISOV, N., JOHNSON, R., SASTRY, N., AND WAGNER, D. Fixing races for fun and profit: how to abuse atime. In 14th USENIX Security Symposium (2005), pp. 303-314.
7. BRUENING, D., DUESTERWALD, E., AND AMARASINGHE, S. Design and implementation of a dynamic optimization framework for Windows. In ACM Workshop Feedback-directed Dyn. Opt. (FDDO-4) (2001).
8. BRUENING, D., GARNETT, T., AND AMARASINGHE, S. An infrastructure for adaptive dynamic optimization. In CGO '03 (2003), pp. 265-275.
9. CHARI, S., HALEVI, S., AND VENEMA, W. Where do you want to go today? escalating privileges by pathname manipulation. In NDSS (2010).
10. CHEN, H., AND WAGNER, D. MOPS: an infrastructure for examining security properties of software. In CCS'02: Proc. 9th ACM Conf. Computer and Communications Security (2002), pp. 235-244.
11. CHESS, B. V. Improving computer security using extended static checking. In S&P'02: IEEE Symp. on Security and Privacy (2002).
12. COWAN, C., BEATTIE, S., WRIGHT, C., AND KROAH-HARTMAN, G. RaceGuard: Kernel protection from temporary file race vulnerabilities. In Proc. 10th USENIX Security Symposium (2001), p. 12.
13. DEAN, D., AND HU, A. J. Fixing races for fun and profit: how to use access(2). In Proc. 13th USENIX Security Symposium (2004), SSYM'04, pp. 14-14.
14. FORD, B., AND COX, R. Vx32: lightweight user-level sandboxing on the x86. In ATC'08: USENIX 2008 Annual Technical Conference (2008), pp. 293-306.
15. GOYAL, B., SITARAMAN, S., AND VENKATESAN, S. A unified approach to detect binding based race condition attacks. In CANS'03: Intl. Workshop on Cryptology & Network Security (2003).
16. JOSHI, A., KING, S. T., DUNLAP, G. W., AND CHEN, P. M. Detecting past and present intrusions through vulnerability-specific predicates. In SOSP'05: Proc. 20th ACM Symposium on Operating Systems Principles (2005), pp. 91-104.
17. KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. P. Secure execution via program shepherding. In Proc. 11th USENIX Security Symposium (2002), pp. 191-206.
18. KO, C., AND REDMOND, T. Noninterference and intrusion detection. In S&P'02: Proc. 2002 IEEE Symposium on Security and Privacy (2002), pp. 177-187.
19. MAZIÈRES, D., AND KAASHOEK, M. F. Secure applications need flexible operating systems. In HotOS'07: Workshop on Hot Topics in Operating Systems (1997), pp. 56-61.
20. PARK, J., LEE, G., LEE, S., AND KIM, D.-K. RPS: An extension of reference monitor to prevent race-attacks. In PCM'04: 5th Pacific Rim Conf. on Multimedia (2004), pp. 556-563.
21. PAYER, M., AND GROSS, T. R. Fine-grained user-space security through virtualization. In VEE'11: Proc. 7th ACM SIGPLAN/SIGOPS Int'l conf. Virtual execution environments (2011), pp. 157-168.
22. SCHMUCK, F., AND WYLIE, J. Experience with transactions in quicksilver. In SOSP'09: Proc. 13th ACM Symposium on Operating Systems Principles (1991), pp. 239-253.
23. SCHWARZ, B., CHEN, H., WAGNER, D., LIN, J., TU, W., MORRISON, G., AND WEST, J. Model checking an entire Linux distribution for security violations. In Proc 21st Computer Security Applications Conference (2005), pp. 13-22.
24. SCOTT, K., AND DAVIDSON, J. Strata: A software dynamic translation infrastructure. Tech. rep., University of Virginia, 2001.
25. SCOTT, K., AND DAVIDSON, J. Safe virtual execution using software dynamic translation. ACSAC'02: Annual Computer Security Applications Conference (2002), 209.
26. SHACHAM, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS'07: Proc. 14th ACM conf. Computer and Communications Security (Oct. 2007), S. De Capitani di Vimercati and P. Syverson, Eds., ACM Press, pp. 552-61.
27. SPILLANE, R. P., GAIKWAD, S., CHINNI, M., ZADOK, E., AND WRIGHT, C. P. Enabling transactional file access via lightweight kernel extensions. In FAST'09: Proc. 7th conf. on File and storage technologies (2009), pp. 29-42.
28. SUK LHEE, K., AND CHAPIN, S. J. Detection of file-based race conditions. Int'l Journal Information Security 4, 1-2 (2005), 105-119.
29. TSAFRIR, D., HERTZ, T., WAGNER, D., AND DA SILVA, D. Portably solving file TOCTTOU races with hardness amplification. In FAST'08: Proc. 6th USENIX Conf. on File and Storage Technologies (2008), pp. 13:1-13:18.
30. TSAFRIR, D., HERTZ, T., WAGNER, D., AND DA SILVA, D. Portably preventing file race attacks with user-mode path resolution. Tech. Rep. RC24572, IBM T. J. Watson Research Center, June 2008.
31. TSYRKLEVICH, E., AND YEE, B. Dynamic detection and prevention of race conditions in file accesses. In Proc. 12th USENIX Security Symposium (2003), pp. 243-255.
32. UPPULURI, P., JOSHI, U., AND RAY, A. Preventing race condition attacks on file-systems. In SAC'05: Proc. ACM Symposium on Applied computing (2005), SAC '05, pp. 346-353.
33. VIEGA, J., BLOCH, J., KOHNO, T., AND MCGRAW, G. ITS4: a static vulnerability scanner for C and C++ code. In ACSAC'00: Ann. Comput. Security Applications Conf. (2000).
34. VLADZ. Xorg file permission change vulnerability (CVE-2011-4029). http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt.
35. WEI, J., AND PU, C. TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study. In FAST'05: Proc. 4th conf. USENIX Conf. File and Storage Technologies (2005), pp. 12-12.
36. WEI, J., AND PU, C. A methodical defense against TOCTTOU attacks: the EDGI approach. In ISSSE'06: IEEE Int'l Symp. on Secure Software Engineering (2006).
37. WRIGHT, C. P., SPILLANE, R., SIVATHANU, G., AND ZADOK, E. Extending ACID semantics to the file system. Trans. Storage 3 (June 2007).