Exploiting Unix File-System Races via Algorithmic Complexity Attacks

Transcription

1 Exploiting Unix File-System Races via Algorithmic Complexity Attacks Xiang Cai, Yuwei Gui, and Rob Johnson (Stony Brook University). IEEE Symposium on Security and Privacy, May 2009.

2 Agenda Introduction Proposed Run-time Defense Mechanisms Preparing for the Race Evaluation

3 Introduction

4 Time-Of-Check-To-Time-Of-Use (TOCTTOU) Time of Check Permission Granted Status Time of Use Changed

5 int main(int argc, char **argv) { int fd; /* If my invoker cannot access argv[1], then exit. */ if (access(argv[1], R_OK)!= 0) exit(1); fd = open(argv[1], O_RDONLY); /* Use fd... */ } UID associated w/ process Real UID: UID of the user who launched the process Effective UID: UID be used to determine the permission Saved UID: Executable file s owner Figure 1: A setuid-program uses the insecure access(2)/open(2) design pattern.

6 int main(int argc, char **argv) { int fd; /* If my invoker cannot access argv[1], then exit. */ if (access(argv[1], R_OK)!= 0) exit(1); fd = open(argv[1], O_RDONLY); /* Use fd... */ } int main(int argc, char **argv) { /* Assume file refers to a file readable by the attacker. */ if (fork() == 0) { system( victim file ); exit(0); } usleep(1); } unlink( file ); link( /etc/shadow, file ); Figure 1: A setuid-program uses the insecure access(2)/open(2) design pattern. Figure 2: Exploitation of the vulnerable program in Figure 1.

7 int main(int argc, char **argv) { int fd; /* If my invoker cannot access argv[1], then exit. */ if (access(argv[1], R_OK)!= 0) exit(1); fd = open(argv[1], O_RDONLY); /* Use fd... */ } Context Switch Context Switch int main(int argc, char **argv) { /* Assume file refers to a file readable by the attacker. */ if (fork() == 0) { } system( victim file ); exit(0); } usleep(1); unlink( file ); link( /etc/shadow, file ); Figure 1: A setuid-program uses the insecure access(2)/open(2) design pattern. Figure 2: Exploitation of the vulnerable program in Figure 1.

8 Contribution Develop new tools for exploiting Unix file-system races Show that atomic k-race and TY-Race is insecure for multiple OS

9 Proposed Run-time Defense Mechanisms

10 TY-Race Kernel-based dynamic race detectors

11 /home/adl / secret (pid, dirid, fname, status) A table T be maintained in the kernel dirid Inodes status Inodes

12 traverse the path (pid, dirid, fname, status) Look up entry in T Found (pid, dirid, fname, status ) compare status & status Same proceed to the next atom Not found Not equal /home/adl/secret Add an entry abort return error logging msg This is a atom

13 Remove Entries from T Saving the memory usage Waiting for entries be removed or flushing the system-wide table

14 Atomic k-race Probabilistic user-space defenses

15 lstat(2) open(2) close(2) LAOF(LAOFC) k access(2) fstat(2)

16 slaasof(laasofc) k a = switch atom to an accessible file s = switch atom to a secret file

17 slaasof(laasofc) k must win 2k + 2 races total success probability = p 2k + 2

18 Attack Overview on atomic k-race

19 Caution sleep(2) timers expires during the execution of the victim s syscall victim s syscall only take a few microseconds (tiny wakeup window) ensure the scheduler chooses to run attacking process

20 Preparing for the Race

21 Enlarge The Wakeup Window By exploiting the hash table of the name resolution

22 Birthday Attack All generated filenames f1~fk have the same hash value 0. Causing the kernel to create an entry for each fi in the name cache. It requires O(k) time to traverse the entire linked list look for fk.

23 Preparing Hash Table First, create fk as a hard link to the target file and make the kernel create its entry in the name cache, then create f1~fk-1 s files and corresponding entries in the name cache.

24

25 Buying Time for Update fk POSIX , send signal to victim SIGSTOP & SIGCONT

26 Fast File Switching Greatly benefit OpenBSD s exploitation

27 Ensuring Precise and Reliable Scheduling by Priority Laundering, Sleep-walking, Syncing w/ The Clock, and so on

28 Priority Laundering use nice(2) to decrease victim s priority

29 Sleep-walking Using 2 processes to nanosleep(2) & kill(2) at the same time

30 Syncing w/ The Clock Use nanosleep(2) to sync the attacker process with the kernel s clock ticks issue end issue end only one sleep 2nd sleep after syncing

31 Summary Attack algorithm for FreeBSD

32 Evaluation

33

34

35 Discussion

36 Attackers could use this technique to exploit a temporary file creation race Fix atomic k-race by adding randomized busy-waits between each system call, but still vulnerable On OpenBSD, attackers does not need to send SIGSTOP & SIGCONT Perform either lstat(2) or access(2) randomly

37 Fix the hash tables with balanced binary trees Linux inotify give attackers great control over the scheduling of certain syscall

38 Related Work Static detectors Dynamic detectors and preventers Probabilistic defenses Interface changes User-space solutions