Consider the following Java code Race Conditions public class Shared { private int data; public Shared() { data = 0; } public void setData(int r) { data = r; } public int getData() { return data; } public class Shared { private int data; public Shared() { data = 0; } public void setData(int r) { data = r; } public int getData() { return data; } int localData = theShared.getData(); localData++; theShared.setData(localData); int localData = theShared.getData(); localData++; theShared.setData(localData); After executing this code what value is stored in Shared.data?

What is a thread / process / task? public class Driver { private Shared theShared; private MyThread threadA, threadB; public Driver() { theShared = new Shared(); threadA = new MyThread(theShared); threadB = new MyThread(theShared); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedException e) { e.printStackTrace(); } System.out.println(theShared.getData()); } public static void main(String[] args) { new Driver(); } public class Driver { private Shared theShared; private MyThread threadA, threadB; public Driver() { theShared = new Shared(); threadA = new MyThread(theShared); threadB = new MyThread(theShared); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedException e) { e.printStackTrace(); } System.out.println(theShared.getData()); } public static void main(String[] args) { new Driver(); } Threaded variation of the last program. public class MyThread extends Thread { private Shared theShared; public MyThread(Shared s) { theShared = s; } public void run() { int localData = theShared.getData(); localData++; theShared.setData(localData); } public class MyThread extends Thread { private Shared theShared; public MyThread(Shared s) { theShared = s; } public void run() { int localData = theShared.getData(); localData++; theShared.setData(localData); }

int localData = theShared.getData(); //1 localData++; //2 theShared.setData(localData); //3 int localData = theShared.getData(); //1 localData++; //2 theShared.setData(localData); //3 Code shared by threadA and threadB threadA -- execute //1 threadA -- execute //2 threadA -- execute //3 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 Execution Scenario 1: threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadA -- execute //1 threadA -- execute //2 threadA -- execute //3 Execution Scenario 2: threadA -- execute //1 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadA -- execute //2 threadA -- execute //3 Execution Scenario 3: Whenever the potential order of execution can alter the outcome, this is called a _________ or ___________.

Three essential properties for a race condition _________ Property Two or more flows of control must execute concurrently/in parallel. _____________ Property Some resource must be shared by the concurrent flows. _____________ Property At least one of the concurrent flows must alter the state of the shared resource.

Solution to a race condition eliminate the concurrent access The “trick” is to use an atomic operation, such as a lock.

import java.util.concurrent.locks.ReentrantLock; public class Driver { private Shared theShared; private MyThread threadA, threadB; private ReentrantLock theLock; public Driver() { theShared = new Shared(); theLock = new ReetrantLock(); threadA = new MyThread(theShared, theLock); threadB = new MyThread(theShared, theLock); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedException e) { e.printStackTrace(); } System.out.println(theShared.getData()); } public static void main(String[] args) { new Driver(); } import java.util.concurrent.locks.ReentrantLock; public class Driver { private Shared theShared; private MyThread threadA, threadB; private ReentrantLock theLock; public Driver() { theShared = new Shared(); theLock = new ReetrantLock(); threadA = new MyThread(theShared, theLock); threadB = new MyThread(theShared, theLock); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedException e) { e.printStackTrace(); } System.out.println(theShared.getData()); } public static void main(String[] args) { new Driver(); } import java.util.concurrent.locks.ReentrantLock; public class MyThread extends Thread { private Shared theShared; private ReentrantLock theLock; public MyThread(Shared s, ReentrantLock l) { theShared = s; theLock = l; } public void run() { theLock.lock(); int localData = theShared.getData(); localData++; theShared.setData(localData); theLock.unlock(); } import java.util.concurrent.locks.ReentrantLock; public class MyThread extends Thread { private Shared theShared; private ReentrantLock theLock; public MyThread(Shared s, ReentrantLock l) { theShared = s; theLock = l; } public void run() { theLock.lock(); int localData = theShared.getData(); localData++; theShared.setData(localData); theLock.unlock(); }

Locks lead to another problem… _________ What if one thread terminates inside a critical section? lockSharedResource(); // the critical section unlockSharedResource(); A thread is deadlocked when it is impossible for it to resume execution even though the expected execution for the thread is incomplete. Potential Deadlock on two resources (A and B) lockSharedResourceA(); lockSharedResourceB(); // the critical section unlockSharedResourceB(); unlockSharedResourceA(); lockSharedResourceB(); lockSharedResourceA(); // the critical section unlockSharedResourceA(); unlockSharedResourceB(); Process 1Process 2

How can an attacker exploit race conditions? Deadlock leads to _____. Example: 2004 Apache HTTP Server Concurrency, and therefore, race conditions are sensitive to …  processor speeds  process/thread scheduling algorithms  memory constraints  asynchronous events  state of unrelated processes

What about loosely coupled (untrusted) processes? File targetFile = new File("/tmp/test"); if (targetFile.exists() && targetFile.canRead()) { try { FileInputStream = new FileInputStream(targetFile); inFile.read( someBuffer );... inFile.close(); } catch (IOException e) { e.printStackTrace(); } File targetFile = new File("/tmp/test"); if (targetFile.exists() && targetFile.canRead()) { try { FileInputStream = new FileInputStream(targetFile); inFile.read( someBuffer );... inFile.close(); } catch (IOException e) { e.printStackTrace(); } _________ (Time of Check, Time of Use) the window from TOC through TOU can lead to a race vulnerability

TOCTOU Mitigation   ________the file from other access. File targetFile = new File("/tmp/test"); if (targetFile.exists()) { try { FileChannel channel = null; FileLock lock = null; try { channel = new RandomAccessFile(targetFile,"rw").getChannel(); lock = channel.tryLock(); if (lock != null) { ByteBuffer bytes = ByteBuffer.allocate(100); channel.read(bytes);... lock.release(); } else // file is already locked } catch (OverlappingFileLockException e) { // file is already locked } finally { channel.close(); } } catch (IOException e) { e.printStackTrace(); } File targetFile = new File("/tmp/test"); if (targetFile.exists()) { try { FileChannel channel = null; FileLock lock = null; try { channel = new RandomAccessFile(targetFile,"rw").getChannel(); lock = channel.tryLock(); if (lock != null) { ByteBuffer bytes = ByteBuffer.allocate(100); channel.read(bytes);... lock.release(); } else // file is already locked } catch (OverlappingFileLockException e) { // file is already locked } finally { channel.close(); } } catch (IOException e) { e.printStackTrace(); }

A non-TOCTOU race condition: walking trees... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files... Example (GNU utilities) file tree

A non-TOCTOU race condition: walking trees... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files... Example (GNU utilities) the exploit mv /tmp/a/b/c /tmp/c file tree

Mitigation   avoid the use of relative path names use and verify ___________________   “..” and “.” in file names and URLs must be disallowed.   avoid using shared access containers

symlink vul This is a classic problem in Unix systems involving the use of symbolic links. The problem is that an attacker's symbolic link can be substituted for a file. (Symbolic links can even reference directories.) A classic example - passwd() 1) open some_dir/.rhosts to authenticate user; close.rhosts 2) create and open some_dir/ptmp 3) reopen some_dir/.rhosts and copy into opened ptmp 4) close files and rename some_dir/ptmp as some_dir/.rhosts

Suppose the user's directory is called victim_dir. Further suppose that the attacker uses s similar directory called attack_dir. A classic example - passwd() 1) open some_dir/.rhosts to authenticate user; close.rhosts 2) create and open some_dir/ptmp 3) reopen some_dir/.rhosts and copy into opened ptmp 4) close files and rename some_dir/ptmp as some_dir/.rhosts Attacker causes some_dir to be a link to attack_dir Attacker causes some_dir to revert to victim_dir Attacker causes some_dir to be a link to attack_dir Attacker causes some_dir to revert to victim_dir

Mitigation – All Race Conditions Closing the race window   identify all shared resources   use mutual exclusion via locks, semaphores, monitors, etc. Eliminating the race (shared) resource   be permission, authorization and privilege aware Controlling access to the race (shared) resource   use “thread safe” threads   check file properties securely   use canonical full path names   use trustworthy containers   static and dynamic detection tools can find some race conditions