advertisement

week11

50 %
50 %
advertisement
Information about week11
Product-Training-Manuals

Published on June 19, 2007

Author: Spidermann

Source: authorstream.com

advertisement

Week11: Race Conditions:  Week11: Race Conditions Pascal Meunier, Ph.D., M.Sc., CISSP March 28, 2007 Developed thanks to the support of Symantec Corporation, NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center Copyright (2006 Purdue Research Foundation. All rights reserved. Race Conditions (CWE ID 362):  Race Conditions (CWE ID 362) Definition: security issues resulting from concurrent or interruptible code Related concepts: Concurrency (ID 557), Multi-threading (ID 366) Thread safety (shared resources) Interrupts Re-entrant code (vs overwriting memory locations) Atomicity Transactions Late binding of labels to objects Security context switches (ID 368) Filesystem links (ID 59) Time of Check, Time of Use Problem (ID 367):  Time of Check, Time of Use Problem (ID 367) TOC/TOU Problem happens with these operations Check if something is OK to do Do it In a pre-emptively multi-tasked environment, anything could happen in-between the execution of two assembly code operations Conditions may change in-between and the check becomes invalid Example: 'switch' statement race condition (ID 365) The variable used for the 'switch' may change value during execution Example Race Condition:  Example Race Condition User 1 creates a file with world-writable permissions User 1 wants to change the permissions to exclude others with 'chmod 700 filename' User 2 tries to overwrite the file in-between Will user 1 or user 2 succeed? User 1 should have set the umask correctly! Database Race Condition:  Database Race Condition If (condition for field 1) then do something to field 2 However process 2 changes field 1 in-between... Result: invalid combination of values (e.g., bank account balance) Program invariant is violated Integrity of records is violated Example Race Condition:  Example Race Condition Two processes: red and blue Red: Check that user 1 has enough money to pay check #y Blue: Check that user 1 has enough money to pay check #x Red: Pay check #y Is there really enough money to pay check #x? Handling Signals:  Handling Signals Signals are another way in which your program flow can get interrupted If your program gets interrupted while managing data structures, it is dangerous for the signal handler to attempt to use those structures Signal handlers can get interrupted by other (different) signals! (CWE ID 364) What if the same handler is called for multiple signals? Is the handler's code re-entrant? Example attack: calling free in non-re-entrant clean-up code that is interrupted and called again free may get called twice (see double-frees in NVD) Solutions:  Solutions Atomic operations: An operation that can't be interrupted is called 'atomic' Mechanisms that prevent concurrent access to, or modification of, an object by different processes or threads Semaphores (up to the programmer to do correctly) Lock files vs file locking Database locks Critical regions (enforced by compilers) Monitors (enforced by compilers) Special assembly code instructions for accessing and managing memory (e.g., multi-processor environments) Database Locks:  Database Locks Race conditions described above can be prevented while using a database to store the data Table and row locks Nobody else can write to a database object while you have a read lock Nobody else can read or write to a database object while you have a write lock Transactions Instead of locking, if the database can't complete the operation (due to competing accesses), the database can revert to a valid (past) state Database integrity is preserved However the operation you were attempting can fail Lock Files:  Lock Files Typically used for: Checking if another copy of a program (e.g., a server or an installer) is running Typically is either empty or contains the pid of a process Can be used like a primitive semaphore Compliance is purely voluntary and isn't enforced by the OS May introduce vulnerabilities Unrestricted Critical Resource Lock (412) CVE-2000-0338 - Predictable file names used for locking, allowing attacker to create the lock beforehand. Mini-Lab: Lock File:  Mini-Lab: Lock File Make a 'C' program that creates a lock file If the lock file already exists, it should print a message stating so and exit. Otherwise, it should sleep 20 seconds, print that it was successful, delete the lock file and exit. Try to run it twice simultaneously (e.g., two terminals). What happens? Is it possible in your implementation to have a race condition if two copies are started simultaneously ? Check all the flags that you can use with 'open' What to Submit:  What to Submit Your code A copy of terminal sessions showing that it operates correctly (as defined on the previous slide) Due April 11 before start of class File Locking:  File Locking UNIX file locks are 'advisory', i.e., not enforced by the operating system shared exclusive Windows: files aren't shared by default Files may have locks if shared: shared exclusive byte-ranged Sometimes this is advisory, sometimes it is enforced. One needs to be careful Object Locks:  Object Locks The 'synchronized' keyword (Java) locks an object synchronized(this) { } Be careful of conditions before entering a synchronized section, if the conditions depend on what happens in that section Could trigger a race condition Can happen in other languages as well Example: Double-checked locking anti-pattern :  Example: Double-checked locking anti-pattern Lazy initialization if (helper == null) { synchronized(this) { if (helper == null) { helper = new Helper(); } } } 'helper' may be assigned a value by thread 'A' before it is ready for use by other threads Reference: 'The 'Double-Checked Locking is Broken' Declaration' at http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html Problems in Context Switches (ID 368):  Problems in Context Switches (ID 368) Context switch between operations done at different privilege levels and in different security contexts isn't done atomically Case study: Web browsers Navigating web sites with different security properties CVE-2004-0191 - XSS when web browser executes Javascript events in the context of a new page while it's being loaded, allowing interaction with previous page in different domain. File System Race Conditions:  File System Race Conditions Files can be accessed by either name, or a file handle (Windows) or file descriptor (UNIX) Files can be renamed, deleted, moved, etc... Names and paths are bound to files at the time of a function call The same path and name can refer to different objects, given different times Typical TOC/TOU issue: Permissions, file length, ownership, etc... are checked first Then an operation is attempted An attacker will substitute another object for the second operation UNIX Filenames vs File Descriptors:  UNIX Filenames vs File Descriptors Filenames and directory structure are changeable Open file descriptors are fixed System calls that use a file descriptor are to be used whenever possible instead of the equivalent functionality using paths fchmod(int fd, mode_t mode); fchown(int fd, uid_t owner, gid_t group); fchdir(int fd); fstat(int fd, struct stat *sb); File descriptors specify an inode (see next slide) Inodes:  Inodes An inode is a data structure containing user, group and access control information (and more) The inode specifies the location of the file on the disk Hard links associate a name to an inode Several hard links can point to a single inode There's no difference between the 'first' hard link and others Inodes are deleted only when all references have been deleted Open file descriptors and hard links count as references Directories also have inodes Hard Links in UNIX:  Hard Links in UNIX By creating hard links, an attacker could make you: Change the permissions of an unintended file Change the contents of an unintended file Defenses: Manipulate files inside safe directories (with correctly set permissions) Don't open and manipulate files as root if you don't need to Don't re-open temporary files in shared directories (more on this later) File System Links:  File System Links Hard links Windows: CreateHardLink UNIX: ln Symbolic links UNIX and Windows Vista: ln -s Windows: a.k.a. 'directory junctions' in NTFS Manually: use Linkd.exe (Win 2K resource kit) or 'junction' freeware Virtual Drives 'subst' command Shortcuts (.lnk files) Virtual Drives (Windows):  Virtual Drives (Windows) Similar to symbolic links but limited functionality Effect A drive letter ('X:') actually points to a directory on a physical drive Overcomes limits on path length NTFS has limit of 32000 characters Windows has a limit of 256 characters NT, 2000, XP 'Path too long' error Malicious software can hide inside very long paths Setup using a 'subst' virtual drive Remove drive, and virus scanner can't find it! http://www.securiteam.com/windowsntfocus/5QP08156AQ.html Subst Vulnerability:  Subst Vulnerability Virtual drives persist after a user logs off (NT) If next user tries to use that same letter drive, they may use a folder of the attacker's choosing Store confidential files Run trojans Example: Network-mapped home drive Mounting operation used to fail silently if the drive letter was already in use CVE-1999-0824 Windows Shortcuts (CWE ID 64):  Windows Shortcuts (CWE ID 64) Created with a .lnk file Handled by the application, not automatically by the OS Can link files to files, or urls to files Someone typing www.microsoft.com in Internet Explorer may end up launching an executable instead of browsing there Firefox is not affected, because this is application-dependent Reference: http://www.zdnet.com.au/news/security/soa/Windows_shortcut_trick_is_a_feature_Microsoft/0,130061744,139262246,00.htm Hard Links:  Hard Links Indistinguishable from original entry (peer) May not refer to directories or span file systems Created link is subject to the same, normal file access permissions. Deleting a hard link doesn't delete the file unless all references to the file have been deleted A reference is either a hard link or an open file descriptor In Windows, a hard link exists at the NTFS file system level and is not supported by FAT32 Note: Different from a Windows shortcut Example:  Example % ls -al .localized -rw-r--r-- root wheel .localized % ln .localized pascal/hard.loc % ls -al pascal/hard.loc -rw-r--r-- root wheel hard.loc % rm pascal/hard.loc override rw-r--r-- root/wheel for pascal/hard.loc? yes % ls -al .localized -rw-r--r-- root wheel .localized Note that the hard link showed the same permissions Note that deleting the hard link didn't delete the file (the reference count was not zero) Hard Link Vulnerability Example (CWE ID 62):  Hard Link Vulnerability Example (CWE ID 62) Fool audit logging programs by using a hard link to a sensitive file Audit trails record benign name instead of sensitive file access CVE-2002-0725 (NTFS) Symbolic Links:  Symbolic Links Windows Directory junctions apply to directories only Can refer to directories on different computers Jargon: 'File system reparse points' Contain parameters resolved at access time Several operations, complex setup (see http://www.sysinternals.com/ntw2k/source/misc.shtml#junction) UNIX and Windows Vista Contain a path, which is resolved at access time May refer to directories and files May span file systems Permissions appear different from the original Symbolic Link Example:  Symbolic Link Example Using the same starting file as for the hard link example: % ln -s .localized pascal/sym.loc % ll pascal/sym.loc lrwxr-xr-x 1 pascal staff pascal/sym.loc -andgt; .localized Note: The '-andgt;') The permissions (see the 'l'?) The owner and group are different (they were root/wheel for '.localized') Deleting the symlink doesn't delete the file Power of Symbolic Links:  Power of Symbolic Links You can create links to files that don’t exist yet Symlinks continue to exist after the files they point to have been renamed, moved or deleted They are not updated You can create links to arbitrary files, even in file systems you can’t see Symlinks can link to files located across partition and disk boundaries Example: You can change the version of an application in use, or even an entire web site, just by changing a symlink Very convenient! Basic Symlink Attack (CWE ID 61):  Basic Symlink Attack (CWE ID 61) Trick a process (with higher privileges) to operate on another file than the one it thinks it is. Example: Create the link 'temp -andgt; /etc/password' A privileged process executes truncate('temp', 0) The 'truncate' call follows symlinks Changes the length of the file 'temp' to 0 But truncated /etc/password instead! Note that the contents are deleted, not the file Can be used for write or read operations Or deletion if the symlink is in the path and not the end point Conditions of Vulnerability:  Conditions of Vulnerability If you are operating in a secured directory, you don't need to worry about symlink attacks A secured directory is one with permissions of all the directories from the root of the file system to your directory, set such that only you (or root) can make changes in your secured directory Example: /home/me (user home directories are usually set by default with secure permissions) You are at risk if you operate In a shared directory such as /tmp In someone else's directory, especially with elevated privileges Example: an anti-virus program running as administrator Example: CUPS Vulnerability:  Example: CUPS Vulnerability CVE-2002-1366 Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local users with lp privileges to create or overwrite arbitrary files via file race conditions, as demonstrated by 'ice-cream'. Predictable file name: '/etc/cups/certs/andlt;pidandgt;' Shared directory with users that have 'lp' privilege 'lp' privilege could be gained through another exploit File manipulated using root privileges Symlink redirected operations anywhere and allowed gaining root privileges Suggested Workarounds:  Suggested Workarounds Store the file in a secured directory It was stored in a shared directory Relinquish root privileges before doing file operations (if not needed) Use a random name Create files with 'umask 077' New files will give no permissions to groups and others What about third-party components that you utilize? Question:  Question In Unix, which one of these allows an attacker to fool you into deleting a different file than you intended? a) Hard links b) Symbolic links in the path, excluding the file itself c) File descriptors d) Inodes UNIX Defenses: Creating a file:  UNIX Defenses: Creating a file int open(const char *path, int oflag, mode_t mode); The flags should be O_CREAT | O_EXCL If the last path item is a symbolic link and O_CREAT and O_EXCL are set, the link is not followed. The check for symlinks and the file creation with the correct permissions (mode) are not subject to race conditions (it's an atomic operation) The mode should be as narrow as practical Can your lock file program be fooled by a symlink? Is it possible for an attacker to delete your lock file and directory, create a link and make you delete something else? Create a fake lock file before your program runs? Conclusions:  Conclusions Race conditions are difficult to prevent when using late bindings e.g., paths and file names in file systems that are accessed by different users and processes Operating systems should always provide calls that unambiguously refer to objects (file systems and others) for all operations but they don't Most synchronization or serialization mechanisms depend on the good will of individual applications Windows, UNIX and C/C++ give you many opportunities to mess up Questions or Comments?:  Questions or Comments? About These Slides:  About These Slides You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. You must give the original author and other contributors credit The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes For any reuse or distribution, you must make clear to others the terms of use for this work Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification For other uses please contact the Purdue Office of Technology Commercialization. Developed thanks to the support of Symantec Corporation Pascal Meunierpmeunier@purdue.edu:  Pascal Meunier pmeunier@purdue.edu Contributors: Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera

Add a comment

Related presentations

Related pages

„Week Calendar“ im App Store - itunes.apple.com

Lesen Sie Rezensionen, vergleichen Sie Kundenbewertungen, sehen Sie sich Screenshots an und erfahren Sie mehr über „Week Calendar“. Laden Sie „Week ...
Read more

NFL 2012 Regular Season Week 11 Schedule - NFL.com

The official site of the 2012 NFL Schedule. Weekly view of the schedules including links to tickets, broadcast channels, and printable views.
Read more

week11.nl - Landscape by Free CSS Templates

week 11. home ; fotos; tarieven; contact; het gebied; gastenboek Copyright (c) 2011 week11.nl
Read more

week11 | YouNow - بث مباشر |اليوناو| يوناو

شاهد week11 مباشر! week11 is at level 3 with 1 fans! YouNow is the best way to broadcast live and get an audience to watch you. ...
Read more

Week 11 - Neurons multiply Month 3 Fetal development ...

Week 11 Neurons multiply - Month 3 Fetal development - information on fetal development due date conception calculators.
Read more

#week11 hashtag on Twitter

On Aug 15 @ElCerritoREC tweeted: "For those that do not start school next .." - read what others are saying and join the conversation.
Read more

Week number - Calendar

Week number. See here which week number this week has. On this website we've also listed annual and monthly calendars including 2016, 2017 and 2018.
Read more

week11 - YouTube

PDC Premier League Darts 2016 Week 11 Michael van Gerwen v Gary Anderson - Duration: 23:31. Theo Kaspers 23,873 views
Read more

Vector space - Wikipedia, the free encyclopedia

A vector space (also called a linear space) is a collection of objects called vectors, which may be added together and multiplied ("scaled") by numbers ...
Read more

Ranking the MLB teams through 11 weeks - espn.com

It's a familiar story at the top of the rankings, as the Cubs are No. 1 for the 11th straight week. But are the Giants gaining ground?
Read more