SysSec. Aurélien Francillon

Size: px
Start display at page:

Download "SysSec. Aurélien Francillon"

Transcription

1 SysSec Aurélien Francillon

2

3

4 SysSec Aurélien Francillon

5 Interaction shared memory (or address space) file system signals Results of tasks depends on relative timing of events Indeterministic behavior

6 Assumption needs to hold for some time for correct behavior, But assumption can be violated A failure of synchronization mechanisms (see OS course) Time window when assumption can be violated window of vulnerability

7 Attacker can take advantage of this discrepancy A B time

8 Attacker can take advantage of this discrepancy A C B time Attacker

9 locking, semaphores Java: synchronized classes and methods (Monitor model) Atomic types (java.util.concurrent.atomic.atomicinteger, etc) Avoid shared memory: use message-passing model still need to get the synchronization right!

10 } { } HttpServletResponse out) out.setcontenttype("text/plain"); Printwriter p = out.getwriter(); count++; p.println(count + " hits so far!");

11 } { } HttpServletResponse out) out.setcontenttype("text/plain"); Printwriter p = out.getwriter(); Looks atomic (1 line of code!) count++; p.println(count + " hits so far!"); It's not! Simple race: 2 threads read count both write count+1 missed 1 increment

12 Scheduler can interrupt a process at any time Can happen between A and B A B time

13 Scheduler can interrupt a process at any time Can happen between A and B A slow syscall B time Much more likely if there is a blocking system call in between

14 (t A,t B ) is the window of vulnerability A C B time Attacker

15 Myths about race conditions "races are hard to exploit "races cannot be exploited reliably" "only 1 chance in that the attack will work!" Attackers can often find ways to beat the odds!

16 to improve the odds high load computational complexity attacks Attacker can run the attack many times in parallel to increase the probability that the attacking process will be scheduled by the processor at the right moment

17 checked Time-Of-Use (t B ): assuming X is still valid, E is used Time-Of-Attack (t C ): assumption X is invalidated t A < t C < t B Program has to execute with elevated privilege otherwise, attacker races for his own privileges

18 Often occurs in Unix file system accesses check permissions for a certain file name (e.g., using access(2)) open the file, using the file name (e.g., using fopen(3)) four levels of indirection (symbolic link - hard link - inode - file descriptor)

19 /* access returns 0 on success */ if(!access(file, W_OK)) { f = fopen(file, "wb+"); write_to_file(f); } else { fprintf(stderr, "Permission denied, cannot open %s.\n", file);

20 } else { }... A B time pointer $ touch dummy; ln s dummy pointer dummy access is allowed

21 } else { }... A C B time pointer $ touch dummy; ln s dummy pointer $ rm pointer; ln s /etc/passwd pointer dummy access is allowed rm pointer ln s /etc/passwd pointer

22 } else { }... A C B time pointer Pointer $ touch dummy; ln s dummy pointer $ rm pointer; ln s /etc/passwd pointer dummy access is allowed /etc/passwd rm pointer ln s /etc/passwd pointer

23 executing program A: program is a script, so command interpreter is loaded first B: program interpreter (with root privileges) is invoked on script name attacker can replace script content between step A and B Setuid not allowed on scripts on most platforms! although there are some work-arounds

24 Interpreter runs the script A B time pointer Attack: setuid_script $ ln s /bin/setuid_script pointer script is setuid: program interpreter is started with effective UID root

25 Interpreter runs the script A C B time pointer Attack: $ ln s /bin/setuid_script pointer $ rm pointer; ln s my_script pointer setuid_script rm pointer script is setuid: ln s my_script pointer program interpreter is started with effective UID root

26 Interpreter runs the script A C B time pointer pointer Attack: $ ln s /bin/setuid_script pointer $ rm pointer; ln s my_script pointer setuid_script rm pointer my_script script is setuid: ln s my_script pointer program interpreter is started with effective UID root

27

28 (One) Attack: guess the tmp file name: "/tmp/tmp0001" ln -s /etc/target /tmp/tmp0001 victim program will create file /etc/target for you, when it tries to create the temporary file! if first guess doesn't work, try 1 million times

29 A /tmp/tmp0001 does not exist B time

30 A /tmp/tmp0001 does not exist C B time Attack: $ ln -s /etc/target /tmp/tmp0001 ln s /etc/target /tmp/tmp0001

31 /etc/target is created! A /tmp/tmp0001 does not exist C B time /tmp/tmp0001 Attack: /etc/target $ ln -s /etc/target /tmp/tmp0001 ln s /etc/target /tmp/tmp0001

32 race condition when attacker replaces file (softlink) between lstat(2) and unlink(2) attack: delete temporary file too early delay program long enough until temp cleaner removes active temporary file

33 if file exists, fopen will fail: try again with another file name (in a loop) delete the file immediately using unlink(2) until the file descriptor is open is still usable by the program perform reads, writes, and seeks on the file as necessary finally, close the file: it is automatically deleted Use file handles instead of file names (kernel option CONFIG_FHANDLE)

34 Use library functions to create temporary files don't roll your own implementation! Some library functions are insecure mktemp(3) is not secure, use mkstemp(3) instead old versions of mkstemp(3) did not set umask correctly

35 a = malloc(10); // Launch Thread 2 if(some_error) free(a); /* do some work, write to a */ a[0]=work();

36 a = malloc(10); // Launch Thread 2 if(some_error) free(a); /* do some work, write to a */ a[0]=work();

37 example: Joe Editor vulnerability when joe crashes (e.g., segmentation fault, xterm crashes) unconditionally append open buffers to local DEADJOE file DEADJOE could be symbolic link to security-relevant file

38 2 processes may do this at the same time, leading to 2 insertions Countermeasures locking primary keys: use a single atomic insert. It will fail if key already exists

39

40 ...but are slow in some corner cases? Example: filename lookups deeply nested directory structure chain of symbolic links looking up the file in the FS will take longer!

41 ... look for file named file.text in final directory Limit to length of a file name: MAXPATHLENGTH (4096 on my linux) Max depth of ~2000

42 40 on my linux box Total file system lookups: follow 40 chains......each with 2000 nested directories lookups!

43 chain2/d/d/d/d/d/.../d/lnk chain0/d/d/d/d/d/.../d/lnk exit entry/lnk/.../lnk/lnk/lnk/lnk This malicious file name forces the OS to traverse the entire chain of symbolic links

44 CONTENT OF FILE real 7m22.498s user 0m0.000s sys 0m4.964s maze not already cached by the OS Reliably over half a second Plenty of time to exploit a race condition Much less now on SDD but still exploitable!

45 maze0 public maze_entry secret_maze secret

46 maze0 public maze_entry secret_maze secret Change the maze_entry while suid_cat is running!

47 what if there are files in directory? too slow in practice hash table! good average performance bad worst-case performance can an attacker exploit this?

48 because most buckets hold 1 or 0 elements Worst case complexity is O(N)! if all objects have the same hash Worst case does not occur accidentally (very unlikely) Attacker can make worst case happen

49 when there are many entries in the same bucket Create files with same hash! ABCD awde kyud xytu... target FFFF

50

51 Success is unlikely Attacker may be able to try 1 million times! Now that most of the computers have multiple cores, attacks are even easier

52 drop privileges instead and let the file system do the job Use the O_CREAT O_EXCL flags to create a new file with open(2) and be prepared to have the open call fail

53 write_to_file(fd); } else { fprintf(stderr, "Permission denied); } seteuid(euid); A = B time when acting on behalf of the user, assume his identity let the operating system check permissions! this code snippet still has 2 potential vulnerabilities

54 write_to_file(fd); } else { fprintf(stderr, "Permission denied); } seteuid(euid); A = B time check seteuid for errors if setuid fails, you are effective UID is unchanged (you are still root!) also drop group privileges with setegid()

55 Secure File Access create secure directory directory only write and executable by UID of process check that no parent directory can be modified by attacker walk up directory tree checking for permissions and links at each step

56 portable (files can be created nearly everywhere) stuck locks can be easily removed

57 can only attach to processes of same UID, except when run by root execve(2) execute program image setuid functionality (modifying the process EUID) not invoked when process is marked as being traced

58 Window of vulnerability between step 1 and step 4 attacker can attach via ptrace blocking kernel operations allow other user processes to run Kernel-side defense against this attack (locking)

59 source code analysis and model checking MOPS (MOdel-checking Programs for Security properties)

60 Dynamic analysis inferring data races during runtime Eraser: A Dynamic Data Race Detector for Multithreaded Programs

61 Prevention and Detection Next lecture Memory corruption bugs and exploitation Who has never seen some assembly code previously?

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Race Conditions Secure Software Programming 2 Overview Parallel execution

More information

Secure Architecture Principles

Secure Architecture Principles Computer Security Course. Secure Architecture Principles Slides credit: Dan Boneh What Happens if you can t drop privilege? In what example scenarios does this happen? A service loop E.g., ssh Solution?

More information

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES Your name: SUNet ID: In accordance with both the letter and the spirit of the Stanford Honor Code, I did not cheat on this exam. Furthermore,

More information

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

Exploiting Unix File-System Races via Algorithmic Complexity Attacks Exploiting Unix File-System Races via Algorithmic Complexity Attacks Xiang Cai, Yuwei Gui, and Rob Johnson (Stony Brook University). IEEE Symposium on Security and Privacy, May 2009. Agenda Introduction

More information

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017 CIS 5512 - Operating Systems File Systems Security Professor Qiang Zeng Fall 2017 Previous class File and directory Hard link and soft link Mount Layered structure File system design Naïve: linked list

More information

Operating Systems Security

Operating Systems Security Operating Systems Security CS 166: Introduction to Computer Systems Security 1 Acknowledgements Materials from the CS167 lecture slides by Tom Doeppner included with permission Some slides 2016-2018 J.

More information

Race Conditions. A race condition occurs when an assumption needs to hold true for a period of time, but actually may not Bob and Alice example.

Race Conditions. A race condition occurs when an assumption needs to hold true for a period of time, but actually may not Bob and Alice example. Race Conditions A race condition occurs when an assumption needs to hold true for a period of time, but actually may not Bob and Alice example. Java Example Import java.io.* Import java.servlet.* Import

More information

Dynamic Detection and Prevention of Race Conditions in File Accesses

Dynamic Detection and Prevention of Race Conditions in File Accesses Dynamic Detection and Prevention of Race Conditions in File Accesses Eugene Tsyrklevich eugene@securityarchitects.com Outline What are race conditions? How can we prevent them? Implementation description

More information

Execution of Multiple flows (threads, processes, tasks, etc) If not controlled can lead to nondeterministic behavior

Execution of Multiple flows (threads, processes, tasks, etc) If not controlled can lead to nondeterministic behavior Race Conditions March 27, 2006 March 27, 2006 Concurrency Concurrency and Race condition Execution of Multiple flows (threads, processes, tasks, etc) If not controlled can lead to nondeterministic behavior

More information

Secure Coding in C and C++ Race conditions

Secure Coding in C and C++ Race conditions Secure Coding in C and C++ Race conditions Lecture 6 Oct 1, 2014 Acknowledgement: These slides are based on author Seacord s original presentation Concurrency and Race condition Concurrency Execution of

More information

CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions

CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions Instructor: Dr. Kun Sun 1 Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security

More information

Chapter 6. File Systems

Chapter 6. File Systems Chapter 6 File Systems 6.1 Files 6.2 Directories 6.3 File system implementation 6.4 Example file systems 350 Long-term Information Storage 1. Must store large amounts of data 2. Information stored must

More information

3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency

3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency Secure Coding CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security

More information

CSC 405 Computer Security Linux Security

CSC 405 Computer Security Linux Security CSC 405 Computer Security Linux Security Alexandros Kapravelos akaprav@ncsu.edu Unix / Linux Started in 1969 at AT&T / Bell Labs Split into a number of popular branches BSD, System V (commercial, AT&T),

More information

Processes are subjects.

Processes are subjects. Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path TCP wrappers Race conditions NOTE: filenames may differ between OS/distributions

More information

STING: Finding Name Resolution Vulnerabilities in Programs

STING: Finding Name Resolution Vulnerabilities in Programs STING: Finding Name Resolution ulnerabilities in Programs Hayawardh ijayakumar, Joshua Schiffman, Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department

More information

SECURE PROGRAMMING TECHNIQUES. Race conditions. General terms. File access races. Network races. Multithreading. Signal handling races MEELIS ROOS 1

SECURE PROGRAMMING TECHNIQUES. Race conditions. General terms. File access races. Network races. Multithreading. Signal handling races MEELIS ROOS 1 Race conditions General terms File access races Network races Multithreading Signal handling races MEELIS ROOS 1 General terms Race condition correctness of the program depends on timing (race with an

More information

Lecture 10: Crash Recovery, Logging

Lecture 10: Crash Recovery, Logging 6.828 2011 Lecture 10: Crash Recovery, Logging what is crash recovery? you're writing the file system then the power fails you reboot is your file system still useable? the main problem: crash during multi-step

More information

CSE380 - Operating Systems

CSE380 - Operating Systems CSE380 - Operating Systems Notes for Lecture 17-11/10/05 Matt Blaze, Micah Sherr (some examples by Insup Lee) Implementing File Systems We ve looked at the user view of file systems names, directory structure,

More information

CIS 5373 Systems Security

CIS 5373 Systems Security CIS 5373 Systems Security Topic 3.1: OS Security Basics of secure design Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh (Stanford)

More information

Processes are subjects.

Processes are subjects. Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals

More information

Secure Programming Lecture 16: Race Conditions

Secure Programming Lecture 16: Race Conditions Secure Programming Lecture 16: Race Conditions David Aspinall 18th March 2016 Outline Overview Race Conditions Race conditions with Unix file handling Data Races Preventing Races Preventing race conditions

More information

CS 380S. TOCTTOU Attacks. Don Porter. Some slides courtesy Vitaly Shmatikov and Emmett Witchel. slide 1

CS 380S. TOCTTOU Attacks. Don Porter. Some slides courtesy Vitaly Shmatikov and Emmett Witchel. slide 1 CS 380S TOCTTOU Attacks Don Porter Some slides courtesy Vitaly Shmatikov and Emmett Witchel slide 1 Definitions TOCTTOU Time of Check To Time of Use Check Establish some precondition (invariant), e.g.,

More information

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Ordinary Operating Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Data Security and Privacy. Unix Discretionary Access Control

Data Security and Privacy. Unix Discretionary Access Control Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm

More information

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry: Logical Diagram VFS, Continued Don Porter CSE 506 Binary Formats RCU Memory Management File System Memory Allocators System Calls Device Drivers Networking Threads User Today s Lecture Kernel Sync CPU

More information

Race Condition Vulnerability Lab

Race Condition Vulnerability Lab Concordia Institute for Information Systems Engineering - INSE 6130 1 Race Condition Vulnerability Lab Copyright c 2006-2012 Wenliang Du, Syracuse University. The development of this document is funded

More information

Lecture 19: File System Implementation. Mythili Vutukuru IIT Bombay

Lecture 19: File System Implementation. Mythili Vutukuru IIT Bombay Lecture 19: File System Implementation Mythili Vutukuru IIT Bombay File System An organization of files and directories on disk OS has one or more file systems Two main aspects of file systems Data structures

More information

VFS, Continued. Don Porter CSE 506

VFS, Continued. Don Porter CSE 506 VFS, Continued Don Porter CSE 506 Logical Diagram Binary Formats Memory Allocators System Calls Threads User Today s Lecture Kernel RCU File System Networking Sync Memory Management Device Drivers CPU

More information

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring 2004 Lecture 18: Naming, Directories, and File Caching 18.0 Main Points How do users name files? What is a name? Lookup:

More information

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1 Symlink attacks Do not assume that symlinks are trustworthy: Example 1 Application A creates a file for writing in /tmp. It assumes that since the file name is unusual, or because it encodes A's name or

More information

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring 2002 Lecture 18: Naming, Directories, and File Caching 18.0 Main Points How do users name files? What is a name? Lookup:

More information

Virtual File System. Don Porter CSE 306

Virtual File System. Don Porter CSE 306 Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting

More information

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard? We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and

More information

Week11: Race Conditions

Week11: Race Conditions Week11: Race Conditions Pascal Meunier, Ph.D., M.Sc., CISSP March 28, 2007 Developed thanks to the support of Symantec Corporation, NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue

More information

Virtual File System. Don Porter CSE 506

Virtual File System. Don Porter CSE 506 Virtual File System Don Porter CSE 506 History ò Early OSes provided a single file system ò In general, system was pretty tailored to target hardware ò In the early 80s, people became interested in supporting

More information

OS security mechanisms:

OS security mechanisms: OS security mechanisms: Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism,

More information

Secure Architecture Principles

Secure Architecture Principles CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from

More information

[This link is no longer available because the program has changed.] II. Security Overview

[This link is no longer available because the program has changed.] II. Security Overview Security ------------------- I. 2 Intro Examples II. Security Overview III. Server Security: Offense + Defense IV. Unix Security + POLP V. Example: OKWS VI. How to Build a Website I. Intro Examples --------------------

More information

Fall 2017 :: CSE 306. File Systems Basics. Nima Honarmand

Fall 2017 :: CSE 306. File Systems Basics. Nima Honarmand File Systems Basics Nima Honarmand File and inode File: user-level abstraction of storage (and other) devices Sequence of bytes inode: internal OS data structure representing a file inode stands for index

More information

Secure Architecture Principles

Secure Architecture Principles CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session

More information

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious

More information

I/O OPERATIONS. UNIX Programming 2014 Fall by Euiseong Seo

I/O OPERATIONS. UNIX Programming 2014 Fall by Euiseong Seo I/O OPERATIONS UNIX Programming 2014 Fall by Euiseong Seo Files Files that contain a stream of bytes are called regular files Regular files can be any of followings ASCII text Data Executable code Shell

More information

cs642 /operating system security computer security adam everspaugh

cs642 /operating system security computer security adam everspaugh cs642 computer security /operating system security adam everspaugh ace@cs.wisc.edu principles Principles of Secure Designs Compartmentalization / Isolation / Least privilege Defense-in-depth / Use more

More information

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel) Programming Project # 2 cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel) Background context Unix permissions model Prof Mitchell will cover during OS security (next week

More information

Non-atomic check and use aka TOCTOU (Time of Check, Time of Use) or race conditions. Erik Poll Digital Security group Radboud University Nijmegen

Non-atomic check and use aka TOCTOU (Time of Check, Time of Use) or race conditions. Erik Poll Digital Security group Radboud University Nijmegen Non-atomic check and use aka TOCTOU (Time of Check, Time of Use) or race conditions Erik Poll Digital Security group Radboud University Nijmegen A classic source of (security) problems race condition aka

More information

Logical disks. Bach 2.2.1

Logical disks. Bach 2.2.1 Logical disks Bach 2.2.1 Physical disk is divided into partitions or logical disks Logical disk linear sequence of fixed size, randomly accessible, blocks disk device driver maps underlying physical storage

More information

CSE 120: Principles of Operating Systems. Lecture 10. File Systems. November 6, Prof. Joe Pasquale

CSE 120: Principles of Operating Systems. Lecture 10. File Systems. November 6, Prof. Joe Pasquale CSE 120: Principles of Operating Systems Lecture 10 File Systems November 6, 2003 Prof. Joe Pasquale Department of Computer Science and Engineering University of California, San Diego 2003 by Joseph Pasquale

More information

Advanced file systems: LFS and Soft Updates. Ken Birman (based on slides by Ben Atkin)

Advanced file systems: LFS and Soft Updates. Ken Birman (based on slides by Ben Atkin) : LFS and Soft Updates Ken Birman (based on slides by Ben Atkin) Overview of talk Unix Fast File System Log-Structured System Soft Updates Conclusions 2 The Unix Fast File System Berkeley Unix (4.2BSD)

More information

Case Study: Access Control. Steven M. Bellovin October 4,

Case Study: Access Control. Steven M. Bellovin October 4, Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine

More information

Last Class: Memory management. Per-process Replacement

Last Class: Memory management. Per-process Replacement Last Class: Memory management Page replacement algorithms - make paging work well. Random, FIFO, MIN, LRU Approximations to LRU: Second chance Multiprogramming considerations Lecture 17, page 1 Per-process

More information

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support Logical Diagram Virtual File System Don Porter CSE 506 Binary Formats RCU Memory Management File System Memory Allocators System Calls Device Drivers Networking Threads User Today s Lecture Kernel Sync

More information

I/O OPERATIONS. UNIX Programming 2014 Fall by Euiseong Seo

I/O OPERATIONS. UNIX Programming 2014 Fall by Euiseong Seo I/O OPERATIONS UNIX Programming 2014 Fall by Euiseong Seo Files Files that contain a stream of bytes are called regular files Regular files can be any of followings ASCII text Data Executable code Shell

More information

Lecture 11: Linux ext3 crash recovery

Lecture 11: Linux ext3 crash recovery 6.828 2011 Lecture 11: Linux ext3 crash recovery topic crash recovery crash may interrupt a multi-disk-write operation leave file system in an unuseable state most common solution: logging last lecture:

More information

Secure Architecture Principles

Secure Architecture Principles CS 155 Spring 2017 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Secure Architecture Principles Isolation

More information

Writing Safe Setuid Programs. Theme

Writing Safe Setuid Programs. Theme Writing Safe Setuid Programs Department of Computer Science Davis, CA 95616-8562 phone (916) 752-8060 email bishop@cs.ucdavis.edu Slide # 1 Theme Using standard robust programming techniques can greatly

More information

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20, I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20, 2007 1 Special Techniques for Secure Programs Buffer overflows are bad in any case Some problems are only a risk for secure programs

More information

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger. Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes

More information

CSL373/CSL633 Major Exam Solutions Operating Systems Sem II, May 6, 2013 Answer all 8 questions Max. Marks: 56

CSL373/CSL633 Major Exam Solutions Operating Systems Sem II, May 6, 2013 Answer all 8 questions Max. Marks: 56 CSL373/CSL633 Major Exam Solutions Operating Systems Sem II, 2012 13 May 6, 2013 Answer all 8 questions Max. Marks: 56 1. True or False. Give reasons and/or brief explanation. No marks for incomplete/wrong

More information

Case Studies in Access Control

Case Studies in Access Control Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems

More information

Typical File Extensions File Structure

Typical File Extensions File Structure CS 355 Operating Systems File Systems File Systems A file is a collection of data records grouped together for purpose of access control and modification A file system is software responsible for creating,

More information

The Kernel Abstraction

The Kernel Abstraction The Kernel Abstraction Debugging as Engineering Much of your time in this course will be spent debugging In industry, 50% of software dev is debugging Even more for kernel development How do you reduce

More information

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19 CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19 User and Group IDs Ref: Chapter 3 of [HGS]. Each user is given an ID (integer) called uid. (Most system programs use uid instead of the

More information

What is a file system

What is a file system COSC 6397 Big Data Analytics Distributed File Systems Edgar Gabriel Spring 2017 What is a file system A clearly defined method that the OS uses to store, catalog and retrieve files Manage the bits that

More information

(In columns, of course.)

(In columns, of course.) CPS 310 first midterm exam, 10/9/2013 Your name please: Part 1. Fun with forks (a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same.

More information

6.828 Fall 2007 Quiz II Solutions

6.828 Fall 2007 Quiz II Solutions Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.828 Fall 2007 Quiz II Solutions The average was 80. 1 I Virtual Machines The x86 SIDT and LIDT instructions

More information

CS510 Operating System Foundations. Jonathan Walpole

CS510 Operating System Foundations. Jonathan Walpole CS510 Operating System Foundations Jonathan Walpole File System Performance File System Performance Memory mapped files - Avoid system call overhead Buffer cache - Avoid disk I/O overhead Careful data

More information

Operating Systems. Operating Systems Professor Sina Meraji U of T

Operating Systems. Operating Systems Professor Sina Meraji U of T Operating Systems Operating Systems Professor Sina Meraji U of T How are file systems implemented? File system implementation Files and directories live on secondary storage Anything outside of primary

More information

Chapter 11: File System Implementation. Objectives

Chapter 11: File System Implementation. Objectives Chapter 11: File System Implementation Objectives To describe the details of implementing local file systems and directory structures To describe the implementation of remote file systems To discuss block

More information

Tricky issues in file systems

Tricky issues in file systems Tricky issues in file systems Taylor Riastradh Campbell campbell@mumble.net riastradh@netbsd.org EuroBSDcon 2015 Stockholm, Sweden October 4, 2015 What is a file system? Standard Unix concept: hierarchy

More information

Topics. File Buffer Cache for Performance. What to Cache? COS 318: Operating Systems. File Performance and Reliability

Topics. File Buffer Cache for Performance. What to Cache? COS 318: Operating Systems. File Performance and Reliability Topics COS 318: Operating Systems File Performance and Reliability File buffer cache Disk failure and recovery tools Consistent updates Transactions and logging 2 File Buffer Cache for Performance What

More information

EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University

EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University Why check storage systems? Storage system errors are among the

More information

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files CSC209 Review CSC209: Software tools Unix files and directories permissions utilities/commands Shell programming quoting wild cards files ... and systems programming C basic syntax functions arrays structs

More information

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files. Compiler vs.

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files. Compiler vs. CSC209 Review CSC209: Software tools Unix files and directories permissions utilities/commands Shell programming quoting wild cards files... and systems programming C basic syntax functions arrays structs

More information

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity CSci 5271 Introduction to Computer Security Day 2: Intro to Software and OS Security Stephen McCamant University of Minnesota, Computer Science & Engineering Security as an economic good Security is a

More information

Wedge: Splitting Applications into Reduced-Privilege Compartments

Wedge: Splitting Applications into Reduced-Privilege Compartments Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits

More information

CIS Operating Systems Memory Management Address Translation for Paging. Professor Qiang Zeng Spring 2018

CIS Operating Systems Memory Management Address Translation for Paging. Professor Qiang Zeng Spring 2018 CIS 3207 - Operating Systems Memory Management Address Translation for Paging Professor Qiang Zeng Spring 2018 Previous class What is logical address? Who use it? Describes a location in the logical memory

More information

Information Security CS 526

Information Security CS 526 Information Security CS 526 s Security Basics & Unix Access Control 1 Readings for This Lecture Wikipedia CPU modes System call Filesystem Permissions Other readings UNIX File and Directory Permissions

More information

OS Security III: Sandbox and SFI

OS Security III: Sandbox and SFI 1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS

More information

CS3600 SYSTEMS AND NETWORKS

CS3600 SYSTEMS AND NETWORKS CS3600 SYSTEMS AND NETWORKS NORTHEASTERN UNIVERSITY Lecture 11: File System Implementation Prof. Alan Mislove (amislove@ccs.neu.edu) File-System Structure File structure Logical storage unit Collection

More information

Summer 2003 Lecture 26 07/24/03

Summer 2003 Lecture 26 07/24/03 Summer 2003 Lecture 26 07/24/03 Organization of Data on the Disk The logical organization of the FAT file system on a disk is made up of the following elements. BOOT Sector Root Directory Structure File

More information

File Systems. OS Overview I/O. Swap. Management. Operations CPU. Hard Drive. Management. Memory. Hard Drive. CSI3131 Topics. Structure.

File Systems. OS Overview I/O. Swap. Management. Operations CPU. Hard Drive. Management. Memory. Hard Drive. CSI3131 Topics. Structure. File Systems I/O Management Hard Drive Management Virtual Memory Swap Memory Management Storage and I/O Introduction CSI3131 Topics Process Management Computing Systems Memory CPU Peripherals Processes

More information

Operating system security models

Operating system security models Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects

More information

File System Interface. ICS332 Operating Systems

File System Interface. ICS332 Operating Systems File System Interface ICS332 Operating Systems Files and Directories Features A file system implements the file abstraction for secondary storage It also implements the directory abstraction to organize

More information

Section 7: Wait/Exit, Address Translation

Section 7: Wait/Exit, Address Translation William Liu October 15, 2014 Contents 1 Wait and Exit 2 1.1 Thinking about what you need to do.............................. 2 1.2 Code................................................ 2 2 Vocabulary 4

More information

Dirty COW Attack Lab

Dirty COW Attack Lab SEED Labs Dirty COW Attack Lab 1 Dirty COW Attack Lab Copyright 2017 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award

More information

Secure Architecture Principles

Secure Architecture Principles Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure

More information

CSE543 - Introduction to Computer and Network Security

CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Software Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer

More information

Keys and Passwords. Steven M. Bellovin October 17,

Keys and Passwords. Steven M. Bellovin October 17, Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven

More information

JOURNALING FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 26

JOURNALING FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 26 JOURNALING FILE SYSTEMS CS124 Operating Systems Winter 2015-2016, Lecture 26 2 File System Robustness The operating system keeps a cache of filesystem data Secondary storage devices are much slower than

More information

CS3210: Crash consistency

CS3210: Crash consistency CS3210: Crash consistency Kyle Harrigan 1 / 45 Administrivia Lab 4 Part C Due Tomorrow Quiz #2. Lab3-4, Ch 3-6 (read "xv6 book") Open laptop/book, no Internet 2 / 45 Summary of cs3210 Power-on -> BIOS

More information

Operating Systems. Week 9 Recitation: Exam 2 Preview Review of Exam 2, Spring Paul Krzyzanowski. Rutgers University.

Operating Systems. Week 9 Recitation: Exam 2 Preview Review of Exam 2, Spring Paul Krzyzanowski. Rutgers University. Operating Systems Week 9 Recitation: Exam 2 Preview Review of Exam 2, Spring 2014 Paul Krzyzanowski Rutgers University Spring 2015 March 27, 2015 2015 Paul Krzyzanowski 1 Exam 2 2012 Question 2a One of

More information

Fundamentals of Computer Security

Fundamentals of Computer Security Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?

More information

CSE 4/521 Introduction to Operating Systems

CSE 4/521 Introduction to Operating Systems CSE 4/521 Introduction to Operating Systems Lecture 3 Operating Systems Structures (Operating-System Services, User and Operating-System Interface, System Calls, Types of System Calls, System Programs,

More information

CSCE 548 Building Secure Software Dirty COW Race Condition Attack

CSCE 548 Building Secure Software Dirty COW Race Condition Attack CSCE 548 Building Secure Software Dirty COW Race Condition Attack Professor Lisa Luo Spring 2018 Outline Dirty COW vulnerability Memory Mapping using mmap() Map_shared, Map_Private Mapping Read-Only Files

More information

KERNEL THREAD IMPLEMENTATION DETAILS. CS124 Operating Systems Winter , Lecture 9

KERNEL THREAD IMPLEMENTATION DETAILS. CS124 Operating Systems Winter , Lecture 9 KERNEL THREAD IMPLEMENTATION DETAILS CS124 Operating Systems Winter 2015-2016, Lecture 9 2 Last Time: Kernel Threads OS kernel must provide a multitasking implementation Kernel threads are the minimal

More information

G Operating Systems: Spring Final Exam

G Operating Systems: Spring Final Exam Computer Science Department New York University G22.2250-001 Operating Systems: Spring 2009 Final Exam Many problems are open-ended questions. In order to receive credit you must answer the question as

More information

Operating Systems Linux 1-2 Measurements Background material

Operating Systems Linux 1-2 Measurements Background material Operating Systems Linux 1-2 Measurements Background material Introduction The Linux measurements were designed to allow you to have an impression about the administration of Linux severs along with providing

More information