Building Secure Software Chapter 9 Race Conditions.

Slides:



Advertisements
Similar presentations
Lectures on File Management
Advertisements

Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.
Mutual Exclusion.
CSUF Chapter CSUF Operating Systems Security 2.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Understand Database Security Concepts
Chapter 3 The Critical Section Problem
SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.
Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.
Section 3.2: Operating Systems Security
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
VBA Modules, Functions, Variables, and Constants
Concurrent Processes Lecture 5. Introduction Modern operating systems can handle more than one process at a time System scheduler manages processes and.
CS252: Systems Programming Ninghui Li Final Exam Review.
(a) Alice and Bob are back together. Today Alice wants to send Bob a message that is secret and also authenticated, so that Bob "knows" the message came.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Introduction to Concurrency.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
4061 Session 23 (4/10). Today Reader/Writer Locks and Semaphores Lock Files.
Lecture 16 Page 1 CS 236 Online Secure Programming, Continued CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
UNIX Files File organization and a few primitives.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Storing and Retrieving Data
Lecture 14 Page 1 CS 236 Online Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Files & Directories.
Discussion Week 2 TA: Kyle Dewey. Overview Concurrency Process level Thread level MIPS - switch.s Project #1.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Why Do We Need Files? Must store large amounts of data. Information stored must survive the termination of the process using it - that is, be persistent.
Copyright © Curt Hill Concurrent Execution An Overview for Database.
Visual Basic for Application - Microsoft Access 2003 Finishing the application.
Advanced Engineering Mathematics, 7 th Edition Peter V. O’Neil © 2012 Cengage Learning Engineering. All Rights Reserved. CHAPTER 4 Series Solutions.
CSC 411/511: DBMS Design Dr. Nan WangCSC411_L12_JDBC_MySQL 1 Transations.
Design Principles and Common Security Related Programming Problems
Memory Management OS Fazal Rehman Shamil. swapping Swapping concept comes in terms of process scheduling. Swapping is basically implemented by Medium.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Race conditions and synchronization issues Exploiting UNIX.
Exceptions Lecture 11 COMP 401, Fall /25/2014.
Copyright © Curt Hill More on Operating Systems Continuation of Introduction.
Mutual Exclusion -- Addendum. Mutual Exclusion in Critical Sections.
FILES AND EXCEPTIONS Topics Introduction to File Input and Output Using Loops to Process Files Processing Records Exceptions.
Lecture 5 Page 1 CS 111 Summer 2013 Bounded Buffers A higher level abstraction than shared domains or simple messages But not quite as high level as RPC.
Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.
Process Management Deadlocks.
Buffer Overflows Incomplete Access Control
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Protecting Memory What is there to protect in memory?
Common Methods Used to Commit Computer Crimes
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Background on the need for Synchronization
SQL Injection Attacks Many web servers have backing databases
Lecture 25 More Synchronized Data and Producer/Consumer Relationship
Introduction to Operating Systems
Please use speaker notes for additional information!
Threads Chapter 4.
Outline Introduction Principles for secure software
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
“The Little Book on Semaphores” Allen B. Downey
6. Application Software Security
Race Condition Vulnerability
Presentation transcript:

Building Secure Software Chapter 9 Race Conditions

Race Conditions What is it? A race condition occurs when an assumption needs to hold true for a period of time, but actually may not. A race condition occurs when an assumption needs to hold true for a period of time, but actually may not. Whether it is true is a matter of timing. Whether it is true is a matter of timing. In every race condition there is a window of vulnerability or a period of time when the assumption leads to incorrect behavior. In every race condition there is a window of vulnerability or a period of time when the assumption leads to incorrect behavior. When the assumption is broken, leading to unexpected behavior, then the race condition has been exploited. When the assumption is broken, leading to unexpected behavior, then the race condition has been exploited. See example of Bob and Alice on the elevator p Each assume that the other one is in the other place and is staying put and both take the elevator (this is a race condition). See example of Bob and Alice on the elevator p Each assume that the other one is in the other place and is staying put and both take the elevator (this is a race condition).

Race Conditions What is it? In computer programs, windows of vulnerability can be large, but often are small. In computer programs, windows of vulnerability can be large, but often are small. A program with code to set a variable X and immediately print its value could have a race condition since the program could be multi-threaded. A program with code to set a variable X and immediately print its value could have a race condition since the program could be multi-threaded. Two processes P1, P2 could hit the code to set X at the same time. If P1 sets X=1 and P2 sets X=2 before P1 prints X, P1 has an invalid value of X. Two processes P1, P2 could hit the code to set X at the same time. If P1 sets X=1 and P2 sets X=2 before P1 prints X, P1 has an invalid value of X. An attacker with control over machine resources can increase the odds of exploiting a race condition by slowing down the machine. An attacker with control over machine resources can increase the odds of exploiting a race condition by slowing down the machine. Race conditions with security implications generally only need to be exploited once. Automated code can find the race condition by just waiting long enough. Race conditions with security implications generally only need to be exploited once. Automated code can find the race condition by just waiting long enough.

Race Conditions What is it? One way to fix a race condition is to reduce the window of vulnerability to zero time. Do this by making sure that all assumptions hold for however long they need to hold. One way to fix a race condition is to reduce the window of vulnerability to zero time. Do this by making sure that all assumptions hold for however long they need to hold. Create Critical Sections in code which only allows one process at a time to access the critical section code. Create Critical Sections in code which only allows one process at a time to access the critical section code. Critical sections are defined by placing locking primitives in front and behind the block of code. Critical sections are defined by placing locking primitives in front and behind the block of code. If not done correctly, the potential for deadlocks and inefficiencies exist. If not done correctly, the potential for deadlocks and inefficiencies exist.

Race Conditions What is it? Race conditions are possible if two or more processes are running and one depends on the other. Race conditions are possible if two or more processes are running and one depends on the other. In the time interval between events, an attacker may be able to force something to happen, changing the behavior of the system in ways not anticipated. In the time interval between events, an attacker may be able to force something to happen, changing the behavior of the system in ways not anticipated. The attacker must have a security-critical context and explicit attention to timing and knowledge of the assumptions. The attacker must have a security-critical context and explicit attention to timing and knowledge of the assumptions. The attacker “races” to invalidate assumptions about the system that the programmer set in the interval between operations. The attacker “races” to invalidate assumptions about the system that the programmer set in the interval between operations.

Race Conditions Time-of-Check, Time-of-Use Any time multiple threads of execution exist, race conditions are possible. Any time multiple threads of execution exist, race conditions are possible. Multiple processes on a single machine can have race conditions between them when they operate on data that may be shared. Multiple processes on a single machine can have race conditions between them when they operate on data that may be shared. The most common type of data shared are files which are vulnerable to security-critical race conditions. The most common type of data shared are files which are vulnerable to security-critical race conditions. UNIX is primarily vulnerable to race conditions involving files due to the need for local access. Windows is less vulnerable as it uses handles instead of continually referring to files as symbolic strings. UNIX is primarily vulnerable to race conditions involving files due to the need for local access. Windows is less vulnerable as it uses handles instead of continually referring to files as symbolic strings.

Race Conditions Time-of-Check, Time-of-Use Time-of-Check, time-of-use flaws (TOCTOU) involve a check on some property of the file that precedes the use of that file. The check needs to be valid at the time of use for proper behavior, but may not be. Time-of-Check, time-of-use flaws (TOCTOU) involve a check on some property of the file that precedes the use of that file. The check needs to be valid at the time of use for proper behavior, but may not be. Suppose a program running setuid root is asked to write a file owned by the user running the program. The root user can write to any file it wants, so the program must take care not to write to anything unless the actual user has permission to do so. Suppose a program running setuid root is asked to write a file owned by the user running the program. The root user can write to any file it wants, so the program must take care not to write to anything unless the actual user has permission to do so. Good Solution: Set EUID to the UID running the program. Good Solution: Set EUID to the UID running the program.

Race Conditions Time-of-Check, Time-of-Use Poor Solution: Use the access call (see p. 215) Poor Solution: Use the access call (see p. 215) The window of vulnerability here is the time it takes to call fopen and have it open a file, after having called access(). The window of vulnerability here is the time it takes to call fopen and have it open a file, after having called access(). The attacker creates a dummy file with his permissions, and then creates a symbolic link to it: The attacker creates a dummy file with his permissions, and then creates a symbolic link to it: $ touch dummy $ touch dummy $ ln –s dummy pointer $ ln –s dummy pointer $ The attacker tells the program to open the file named pointer and execute within the window of vulnerability: The attacker tells the program to open the file named pointer and execute within the window of vulnerability: $ rm pointer; ln –s /etc/passwd pointer $ rm pointer; ln –s /etc/passwd pointer If it works, the program will overwrite the system password file. If it works, the program will overwrite the system password file.

Race Conditions Time-of-Check, Time-of-Use To exploit a file system race condition, the following should be true: To exploit a file system race condition, the following should be true: (1) the attacker must have access to the local machine, legitimate or not. (1) the attacker must have access to the local machine, legitimate or not. (2) the program with the race condition needs to running with an EUID of root. (2) the program with the race condition needs to running with an EUID of root. (3) the program must have this EUID for the period of time of the race condition. (3) the program must have this EUID for the period of time of the race condition. (4) Item (3) must exist so that the attacker will be able to obtain root privileges. (4) Item (3) must exist so that the attacker will be able to obtain root privileges. (5) Without root privileges there would be no race conditions. (5) Without root privileges there would be no race conditions.

Race Conditions Time-of-Check, Time-of-Use

Race Conditions TOCTOU/Secure File Access

Race Conditions Secure File Access

Once a directory is created and not under control of an attacker, it is usually filled with files. Open files using a locking technique. Once a directory is created and not under control of an attacker, it is usually filled with files. Open files using a locking technique. Deleting a file can only occur securely if the secure directory approach is used. This is true as the OS removes a file using unlink() call by a filename not file descriptor or file pointer (vulnerable to a race condition). Deleting a file can only occur securely if the secure directory approach is used. This is true as the OS removes a file using unlink() call by a filename not file descriptor or file pointer (vulnerable to a race condition). If the directory is secure, unlink() is safe as an attacker can not create a symbolic link. If the directory is secure, unlink() is safe as an attacker can not create a symbolic link.

Race Conditions Secure File Access Sometimes we need to protect the data in deleted files. Sometimes we need to protect the data in deleted files. Deleted files are deleted by removing pointers to the file. The file is still located on the disk. Deleted files are deleted by removing pointers to the file. The file is still located on the disk. There are many ways to make the data useless using overwrite schemes. There are many ways to make the data useless using overwrite schemes.

Race Conditions Temporary Files Temporary files are susceptible to the same potential problems that regular files are, as attackers can guess the filenames. Temporary files are susceptible to the same potential problems that regular files are, as attackers can guess the filenames. Strategy for creating a secure temporary file: Strategy for creating a secure temporary file: (1) Pick a prefix for the filename. (1) Pick a prefix for the filename. (2) Generate at least 64 bits of high-quality randomness from a cryptographically secure source (chapter 10). (2) Generate at least 64 bits of high-quality randomness from a cryptographically secure source (chapter 10). (3) Base64 encode the random bits (chapter 11) (3) Base64 encode the random bits (chapter 11) (4) Concatenate the prefix with the encoded random data. (4) Concatenate the prefix with the encoded random data. (5) Set umask (use 0066) (5) Set umask (use 0066) (6) Use fopen() to create the file. (6) Use fopen() to create the file. (7) Delete file using unlink(). (7) Delete file using unlink(). (8) Perform reads, writes, and seeks on the file as necessary. (8) Perform reads, writes, and seeks on the file as necessary. (9) Close the file. Never close and reopen the file if it exists in a directory with a potential race condition. (9) Close the file. Never close and reopen the file if it exists in a directory with a potential race condition.

Race Conditions File Locking Appropriate file locking can prevent race conditions. Appropriate file locking can prevent race conditions. OS do not require file locking. OS do not require file locking. To prevent circumventing locking conventions, make sure files are in a directory that cannot be accessed by a potential attacker. To prevent circumventing locking conventions, make sure files are in a directory that cannot be accessed by a potential attacker. To perform file locking: Use open() call, and pass in the O_EXCL flag. The file can not be opened if the file is in use. To perform file locking: Use open() call, and pass in the O_EXCL flag. The file can not be opened if the file is in use. Do not use open() for file locking on all systems. Do not use open() for file locking on all systems. If locking and unlocking are not done right, we could get a deadlock situation. If locking and unlocking are not done right, we could get a deadlock situation.

Race Conditions Other Race Conditions Security-critical race conditions occur in other kinds of complex systems as well as in file accesses. Security-critical race conditions occur in other kinds of complex systems as well as in file accesses. We encounter race conditions whenever there are small windows of opportunity for attackers to connect to databases or servers. We encounter race conditions whenever there are small windows of opportunity for attackers to connect to databases or servers.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.