3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency

Transcription

1 Secure Coding CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output Race conditions Web security 1 2 Concurrency Concurrency occurs when two or more separate execution flows are able to run simultaneously. Examples of independent execution flows include threads, processes, and tasks. Concurrent execution of multiple flows of execution is an essential part of a modern computing environment. Race Conditions An unanticipated execution ordering of concurrent flows that results in undesired behavior is called a race condition a software defect and frequent source of vulnerabilities. Race conditions result from runtime environments, including operating systems, that must control access to shared resources, especially through process scheduling. 3 4 Conditions for Race Condition Example: Failure Sketch for Apache Bug #21287 Race condition needs: Concurrency There must be at least two control flows executing concurrently. Shared Object A shared race object must be accessed by both of the concurrent flows. Change State At least one of the control flows must alter the state of the race object

2 Deadlock vs. Livelock Deadlock: Two processes are unable to proceed because each is waiting for the others to do something. System comes to a halt. Livelock: Two processes continuously change their states in response to changes in the other process without doing any useful work System continues to work. digitizer() { image_type dig_image; int tail = 0; Deadlock/Livelock Example tracker() { image_type track_image; int head = 0; Deadlock loop { /* begin loop */ loop { /* begin loop */ grab(dig_image); Livelock while (bufavail == 0){ frame_buf[tail mod MAX] = dig_image; tail = tail + 1; bufavail = bufavail - 1; /* end loop */ while (bufavail == MAX){ track_image = frame_buf[head mod MAX]; head = head + 1; bufavail = bufavail + 1; analyze(track_image); /* end loop */ 7 8 Definitions Time of Check to Time of Use (TOCTTOU) TOCTTOU Time of Check To Time of Use Check Establish some precondition (invariant), e.g., access permission Use Operate on the object assuming that the invariant is still valid Essentially a race condition Most famously in the file system, but can occur in any concurrent system 9 10 UNIX File System Security Access control: user should only be able to access a file if he has the permission to do so But what if user is running as setuid-root? E.g., a printing program is usually setuid-root in order to access the printer device Runs as if the user had root privileges But a root user can access any file! How does the printing program know that the user has the right to read (and print) any given file? UNIX has a special access() system call The access() function is called to check if the file exists and has write permission

3 the file is opened for writing Race window between checking for access and opening file access()/open() Vulnerability An external process can change or replace the ownership of some_file. If this program is running with an effective user ID (UID) of root, the replacement file is opened and written to. If an attacker can replace some_file with a link during the race window, this code can be exploited to write to any file of the attacker s choosing. E.g., #rm /some_file #ln /myfile /some_file access()/open() Exploit Goal: trick setuid-root program into opening a normally inaccessible file Create a symbolic link to a harmless user file access() will say that file is Ok to read After access(), but before open() switch symbolic link to point to /etc/shadow /etc/shadow is a root-readable password file Attack program must run concurrently with the victim and switch the link at exactly the right time Interrupt victim between access() and open() Sendmail Example Sendmail Vulnerability: An Example Run as root Operate on files owned by normal users Check Use a symbolic link? No Append the new message to Yes Error handling Establishing the invariant: is NOT a symbolic link Assuming the invariant still holds 17 Check Use Sendmail (root) a symbolic link? No Append the new message to (actually to /etc/passwd) Time Attacker (abc) Delete Create symbolic link mailbox, pointing to /etc/passwd Effect: The attacker may get unauthorized root access! 18 3

4 Evading System Call Interposition TOCTTOU and race conditions can be used to evade system call interposition by sharing state Example: when two Linux threads share file system information, they share their root directories and current working directory Thread A s current working directory is /tmp Thread A calls open( shadow ); B calls chdir( /etc ) Both look harmless; system monitor permits both calls open( shadow ) executes with /etc as working directory A s call now opens /etc/shadow oops! How Hard Is It to Win a Race? Idea: force victim program to perform an expensive I/O operation While waiting for I/O to complete, victim will yield CPU to the concurrent attack program, giving it window of opportunity to switch the symlink, working dir, etc. How? Make sure that the file being accessed is not in the file system cache Force victim to traverse very deep directory structures TOCTTOU Probabilistic Model Window of Vulnerability: the time interval between check and use (e.g., <open, chown>). Attack pattern: {detection+ [attack] detection can be run 1 or more times attack can be run 0 or 1 time Three process states Suspended: unable to run (relinquishing CPU) Scheduled: able to run (using CPU) Finished: finished the attack actions (symbolic link replacement, etc) 22 A Probabilistic Model for Predicting TOCTTOU Attack Success Rate P (attack succeeds) = P (victim suspended) * P (attack scheduled victim suspended) * P (attack finished victim suspended) + P (victim not suspended) * P (attack scheduled victim not suspended) * P (attack finished victim not suspended) P (attack succeeds) on a multiprocessor is not less than that on a uniprocessor, because of the second part of the equation. Ø P (attack scheduled victim not suspended) = 0 on a uniprocessor Success gain due to the second part may become significant when P (victim suspended) is very small. But wait, can the attack finished? 21 P (attack finished victim not suspended) The answer = D = detection time, L = t2 - t1 (Laxity) t1 = the earliest start time for a successful detection t2 = the latest start time for a successful detection leading to a successful attack How hard to prevent TOCTTOU? No portable, deterministic solution with current POSIX filesystem API Tactics: Static checks for dangerous pairs (compile time) Hacks to setuid programs (least privilege) Kernel detection and compensation (RaceGuard) User-mode dynamic detection Change the interface

5 Eliminating Race Conditions Identify race windows. A code segment accesses the race object in a way that opens a window of opportunity during which other concurrent flows could race in and alter the race object. Is a difficult problem Statically detecting race condition in a program using multiple semaphoresd is NP-complete. No efficient algorithm existing Partially relying on human debugging skills Virtually impossible to catch race conditions dynamically since it cannot examine every memory access Eliminate race conditions by making conflicting race windows mutually exclusive. 25 Mutual Exclusion Mutual Exclusion Only one competing thread is allowed to be in a critical section. C and C++ support several synchronization primitives: mutex variables, semaphores, pipes, named pipes, condition variables, CRITICAL_SECTION objects, lock variables. 26 5