Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure Software Chapter 9 Race Conditions.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Building Secure Software Chapter 9 Race Conditions."— Presentation transcript:

1 Building Secure Software Chapter 9 Race Conditions

2 Race Conditions What is it? A race condition occurs when an assumption needs to hold true for a period of time, but actually may not. A race condition occurs when an assumption needs to hold true for a period of time, but actually may not. Whether it is true is a matter of timing. Whether it is true is a matter of timing. In every race condition there is a window of vulnerability or a period of time when the assumption leads to incorrect behavior. In every race condition there is a window of vulnerability or a period of time when the assumption leads to incorrect behavior. When the assumption is broken, leading to unexpected behavior, then the race condition has been exploited. When the assumption is broken, leading to unexpected behavior, then the race condition has been exploited. See example of Bob and Alice on the elevator p. 210. Each assume that the other one is in the other place and is staying put and both take the elevator (this is a race condition). See example of Bob and Alice on the elevator p. 210. Each assume that the other one is in the other place and is staying put and both take the elevator (this is a race condition).

3 Race Conditions What is it? In computer programs, windows of vulnerability can be large, but often are small. In computer programs, windows of vulnerability can be large, but often are small. A program with code to set a variable X and immediately print its value could have a race condition since the program could be multi-threaded. A program with code to set a variable X and immediately print its value could have a race condition since the program could be multi-threaded. Two processes P1, P2 could hit the code to set X at the same time. If P1 sets X=1 and P2 sets X=2 before P1 prints X, P1 has an invalid value of X. Two processes P1, P2 could hit the code to set X at the same time. If P1 sets X=1 and P2 sets X=2 before P1 prints X, P1 has an invalid value of X. An attacker with control over machine resources can increase the odds of exploiting a race condition by slowing down the machine. An attacker with control over machine resources can increase the odds of exploiting a race condition by slowing down the machine. Race conditions with security implications generally only need to be exploited once. Automated code can find the race condition by just waiting long enough. Race conditions with security implications generally only need to be exploited once. Automated code can find the race condition by just waiting long enough.

4 Race Conditions What is it? One way to fix a race condition is to reduce the window of vulnerability to zero time. Do this by making sure that all assumptions hold for however long they need to hold. One way to fix a race condition is to reduce the window of vulnerability to zero time. Do this by making sure that all assumptions hold for however long they need to hold. Create Critical Sections in code which only allows one process at a time to access the critical section code. Create Critical Sections in code which only allows one process at a time to access the critical section code. Critical sections are defined by placing locking primitives in front and behind the block of code. Critical sections are defined by placing locking primitives in front and behind the block of code. If not done correctly, the potential for deadlocks and inefficiencies exist. If not done correctly, the potential for deadlocks and inefficiencies exist.

5 Race Conditions What is it? Race conditions are possible if two or more processes are running and one depends on the other. Race conditions are possible if two or more processes are running and one depends on the other. In the time interval between events, an attacker may be able to force something to happen, changing the behavior of the system in ways not anticipated. In the time interval between events, an attacker may be able to force something to happen, changing the behavior of the system in ways not anticipated. The attacker must have a security-critical context and explicit attention to timing and knowledge of the assumptions. The attacker must have a security-critical context and explicit attention to timing and knowledge of the assumptions. The attacker “races” to invalidate assumptions about the system that the programmer set in the interval between operations. The attacker “races” to invalidate assumptions about the system that the programmer set in the interval between operations.

6 Race Conditions Time-of-Check, Time-of-Use Any time multiple threads of execution exist, race conditions are possible. Any time multiple threads of execution exist, race conditions are possible. Multiple processes on a single machine can have race conditions between them when they operate on data that may be shared. Multiple processes on a single machine can have race conditions between them when they operate on data that may be shared. The most common type of data shared are files which are vulnerable to security-critical race conditions. The most common type of data shared are files which are vulnerable to security-critical race conditions. UNIX is primarily vulnerable to race conditions involving files due to the need for local access. Windows is less vulnerable as it uses handles instead of continually referring to files as symbolic strings. UNIX is primarily vulnerable to race conditions involving files due to the need for local access. Windows is less vulnerable as it uses handles instead of continually referring to files as symbolic strings.

7 Race Conditions Time-of-Check, Time-of-Use Time-of-Check, time-of-use flaws (TOCTOU) involve a check on some property of the file that precedes the use of that file. The check needs to be valid at the time of use for proper behavior, but may not be. Time-of-Check, time-of-use flaws (TOCTOU) involve a check on some property of the file that precedes the use of that file. The check needs to be valid at the time of use for proper behavior, but may not be. Suppose a program running setuid root is asked to write a file owned by the user running the program. The root user can write to any file it wants, so the program must take care not to write to anything unless the actual user has permission to do so. Suppose a program running setuid root is asked to write a file owned by the user running the program. The root user can write to any file it wants, so the program must take care not to write to anything unless the actual user has permission to do so. Good Solution: Set EUID to the UID running the program. Good Solution: Set EUID to the UID running the program.

8 Race Conditions Time-of-Check, Time-of-Use Poor Solution: Use the access call (see p. 215) Poor Solution: Use the access call (see p. 215) The window of vulnerability here is the time it takes to call fopen and have it open a file, after having called access(). The window of vulnerability here is the time it takes to call fopen and have it open a file, after having called access(). The attacker creates a dummy file with his permissions, and then creates a symbolic link to it: The attacker creates a dummy file with his permissions, and then creates a symbolic link to it: $ touch dummy $ touch dummy $ ln –s dummy pointer $ ln –s dummy pointer $ The attacker tells the program to open the file named pointer and execute within the window of vulnerability: The attacker tells the program to open the file named pointer and execute within the window of vulnerability: $ rm pointer; ln –s /etc/passwd pointer $ rm pointer; ln –s /etc/passwd pointer If it works, the program will overwrite the system password file. If it works, the program will overwrite the system password file.

9 Race Conditions Time-of-Check, Time-of-Use To exploit a file system race condition, the following should be true: To exploit a file system race condition, the following should be true: (1) the attacker must have access to the local machine, legitimate or not. (1) the attacker must have access to the local machine, legitimate or not. (2) the program with the race condition needs to running with an EUID of root. (2) the program with the race condition needs to running with an EUID of root. (3) the program must have this EUID for the period of time of the race condition. (3) the program must have this EUID for the period of time of the race condition. (4) Item (3) must exist so that the attacker will be able to obtain root privileges. (4) Item (3) must exist so that the attacker will be able to obtain root privileges. (5) Without root privileges there would be no race conditions. (5) Without root privileges there would be no race conditions.

10 Race Conditions Time-of-Check, Time-of-Use

11

12

13

14

15

16

17

18

19

20

21 Race Conditions TOCTOU/Secure File Access

22 Race Conditions Secure File Access

23

24

25

26

27 Once a directory is created and not under control of an attacker, it is usually filled with files. Open files using a locking technique. Once a directory is created and not under control of an attacker, it is usually filled with files. Open files using a locking technique. Deleting a file can only occur securely if the secure directory approach is used. This is true as the OS removes a file using unlink() call by a filename not file descriptor or file pointer (vulnerable to a race condition). Deleting a file can only occur securely if the secure directory approach is used. This is true as the OS removes a file using unlink() call by a filename not file descriptor or file pointer (vulnerable to a race condition). If the directory is secure, unlink() is safe as an attacker can not create a symbolic link. If the directory is secure, unlink() is safe as an attacker can not create a symbolic link.

28 Race Conditions Secure File Access Sometimes we need to protect the data in deleted files. Sometimes we need to protect the data in deleted files. Deleted files are deleted by removing pointers to the file. The file is still located on the disk. Deleted files are deleted by removing pointers to the file. The file is still located on the disk. There are many ways to make the data useless using overwrite schemes. There are many ways to make the data useless using overwrite schemes.

29 Race Conditions Temporary Files Temporary files are susceptible to the same potential problems that regular files are, as attackers can guess the filenames. Temporary files are susceptible to the same potential problems that regular files are, as attackers can guess the filenames. Strategy for creating a secure temporary file: Strategy for creating a secure temporary file: (1) Pick a prefix for the filename. (1) Pick a prefix for the filename. (2) Generate at least 64 bits of high-quality randomness from a cryptographically secure source (chapter 10). (2) Generate at least 64 bits of high-quality randomness from a cryptographically secure source (chapter 10). (3) Base64 encode the random bits (chapter 11) (3) Base64 encode the random bits (chapter 11) (4) Concatenate the prefix with the encoded random data. (4) Concatenate the prefix with the encoded random data. (5) Set umask (use 0066) (5) Set umask (use 0066) (6) Use fopen() to create the file. (6) Use fopen() to create the file. (7) Delete file using unlink(). (7) Delete file using unlink(). (8) Perform reads, writes, and seeks on the file as necessary. (8) Perform reads, writes, and seeks on the file as necessary. (9) Close the file. Never close and reopen the file if it exists in a directory with a potential race condition. (9) Close the file. Never close and reopen the file if it exists in a directory with a potential race condition.

30 Race Conditions File Locking Appropriate file locking can prevent race conditions. Appropriate file locking can prevent race conditions. OS do not require file locking. OS do not require file locking. To prevent circumventing locking conventions, make sure files are in a directory that cannot be accessed by a potential attacker. To prevent circumventing locking conventions, make sure files are in a directory that cannot be accessed by a potential attacker. To perform file locking: Use open() call, and pass in the O_EXCL flag. The file can not be opened if the file is in use. To perform file locking: Use open() call, and pass in the O_EXCL flag. The file can not be opened if the file is in use. Do not use open() for file locking on all systems. Do not use open() for file locking on all systems. If locking and unlocking are not done right, we could get a deadlock situation. If locking and unlocking are not done right, we could get a deadlock situation.

31 Race Conditions Other Race Conditions Security-critical race conditions occur in other kinds of complex systems as well as in file accesses. Security-critical race conditions occur in other kinds of complex systems as well as in file accesses. We encounter race conditions whenever there are small windows of opportunity for attackers to connect to databases or servers. We encounter race conditions whenever there are small windows of opportunity for attackers to connect to databases or servers.

Download ppt "Building Secure Software Chapter 9 Race Conditions."

Similar presentations

Lectures on File Management

Lectures on File Management
Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.

Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.
Mutual Exclusion.

Mutual Exclusion.
CSUF Chapter 3.2 1. CSUF Operating Systems Security 2.

CSUF Chapter CSUF Operating Systems Security 2.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Understand Database Security Concepts

Understand Database Security Concepts
Chapter 3 The Critical Section Problem

Chapter 3 The Critical Section Problem
SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.

SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.
Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.

Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
VBA Modules, Functions, Variables, and Constants

VBA Modules, Functions, Variables, and Constants
Concurrent Processes Lecture 5. Introduction Modern operating systems can handle more than one process at a time System scheduler manages processes and.

Concurrent Processes Lecture 5. Introduction Modern operating systems can handle more than one process at a time System scheduler manages processes and.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
(a) Alice and Bob are back together. Today Alice wants to send Bob a message that is secret and also authenticated, so that Bob knows the message came.

(a) Alice and Bob are back together. Today Alice wants to send Bob a message that is secret and also authenticated, so that Bob "knows" the message came.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG 12 30 th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.

CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.

Similar presentations

Ads by Google