SECURE PROGRAMMING TECHNIQUES. Race conditions. General terms. File access races. Network races. Multithreading. Signal handling races MEELIS ROOS 1

Transcription

1 Race conditions General terms File access races Network races Multithreading Signal handling races MEELIS ROOS 1

2 General terms Race condition correctness of the program depends on timing (race with an external entity) Process scheduling can switch context any time, for any amount of time Network is asynchronous by nature Attacker can change scheduling by causing load or just trying hard enough Happens on unsynchronized use of shared resources Race with untrusted processes Race with trusted processes (locking bugs) General solution: use atomic operations Locking tool for synchronization, usually between trusted processes MEELIS ROOS 2

3 File access races TOCTOU (Time Of Check, Time Of Use) pattern in races: 1. A program checks a property of a file, referencing the file by its name 2. An attacker alters the meaning of the filename so that it refers to a different filesystem object 3. The program later performs a filesystem operation using the same filename and assumes the previously checked property still holds Properties can be about metainfo (owner, permissions, being symbolic link etc) or about changing the file itself (new file with the same name) MEELIS ROOS 3

4 Example: access() vs open() lpr vulnerability in ancient Linux (1999) for (int i=1; i < argc; i++) { /* make sure that the user can read the file, * then open it */ if (!access(argv[i], O_RDONLY)) { fd = open(argv[i], O_RDONLY); } print(fd); } MEELIS ROOS 4

5 Timing Possible timing between lpr and attack code access("/tmp/attack") open("/tmp/attack") unlink("/tmp/attack") symlink("/etc/shadow", "/tmp/attack") MEELIS ROOS 5

6 Fix: switch UID-s, open only once for (int i=1; i < argc; i++) { int caller_uid = getuid(); int owner_uid = geteuid(); /* set effective user id before opening the file */ if (setresuid(-1, caller_uid, owner_uid)!= 0) { exit(-1); } if (fd = open(argv[i], O_RDONLY); /* reset the effective user id to its original value */ if (setresuid(-1, owner_uid, caller_uid)!= 0) { exit(-1); } if (fd!= -1) print(fd); } MEELIS ROOS 6

7 File access races Stealing a temporary file with loose permissions Predictability of filenames in shared directories Symlink attacks make the filename point somewhere else Between check and use Even before preparing symlinks with predictable names (either pointing somewhere or dangling) Using up resources (allocate and reserve resources before use?) MEELIS ROOS 7

8 Predictable filenames First, try to avoid creating files in publicly writable directories If you still need to do it: Avoid fixed names Avoid weak randomness process ID, current time, short random part of filename Common example: RESULT=/tmp/myresult.$$ do_cmd > $RESULT if! grep Success: $RESULT; then exit 1; fi; done... rm $RESULT Find all bugs in this snippet! MEELIS ROOS 8

9 Fixing file access races Avoid using publicly writable directories TMP, TMPDIR; TEMP environment variables Avoid temporary files at all when not needed use pipe with one producer and only one consumer Use any name only once Open file and keep fd open Perform further operations only on fd, not name fchown, fchmod, fchdir, fstat access() is usually bad Unlinking filename might be a good idea to shorten the windows others might open it Don t reuse temporary filenames MEELIS ROOS 9

10 Creating a temporary file securely Use strict file create to avoid existing files with same name you try open(filename, O_RDWR O_CREAT O_EXCL, 0600) O_TMPFILE (Linux-only) Avoid symlinks O_NOFOLLOW (good but not portable) or create a subdirectory, secure it and create your files there Check return values and repeat until you have got your file MEELIS ROOS 10

11 Temporary file library functions Good: mkstemp(char *template) creates file, opens it and returns filled in name mkdtemp(char *template) creates a directory and returns filled in name Weak: FILE *tmpfile(void) creates, opens and unlinks, misses O_EXCL tempnam(char *dir, char *pfx) TOCTOU possible; honours TMPDIR tmpnam(char *s) TOCTOU possible mktemp(char *template) TOCTOU again GetTempFileName() TOCTOU MEELIS ROOS 11

12 Multithreading Concurrent programs can share objects in memory by using multithreading by using explicitly shared memory between multiple processes Shared structures must be accessed with some synchronization protocol to avoid corrupting the data Bugs are frequent here because the model is hard for programmers ("locking bugs") Most synchronization bugs are not exploitable as security bugs, but Corruption of state may always lead to vulnerabilities Availability is hit hard (hangs, crashes) Language-agnostic (anywhere shared state is used) MEELIS ROOS 12

13 Networking Different streams and packets race with each other: Different routes, router queues Congestion control and retransmissions Process scheduling on end nodes Example: IRC channel takeovers Example: AJAX and parallel queries Synchronous and asynchronous XmlHttpRequest Several requests in parallel are possible, depending on user actions MEELIS ROOS 13

14 Signal handling Completely asynchronous Signal handler can do only a limited set of operations because of this Lots of signals coming in quickly can uncover additional problems MEELIS ROOS 14

15 Example: signal handling race #include <signal.h> #include <syslog.h> #include <string.h> #include <stdlib.h> void *global1, *global2; char *what; void sh(int dummy) { syslog(log_notice,"%s\n",what); free(global2); free(global1); sleep(10); exit(0); } MEELIS ROOS 15

16 Example: signal handling race (cont) int main(int argc,char* argv[]) { what=argv[1]; global1=strdup(argv[2]); global2=malloc(340); signal(sighup,sh); signal(sigterm,sh); sleep(10); free(global2); free(global1); exit(0); } MEELIS ROOS 16