1 Multiprocessors May Reduce System Dependability Under File-based Race Condition Attacks Jinpeng Wei, Calton Pu Georgia Institute of Technology Atlanta,

Slides:

Advertisements

Similar presentations

TOCTTOU Attacks Don Porter CS 380S

Advertisements

Paper by: Yu Li, Jianliang Xu, Byron Choi, and Haibo Hu Department of Computer Science Hong Kong Baptist University Slides and Presentation By: Justin.

Background Virtual memory – separation of user logical memory from physical memory. Only part of the program needs to be in memory for execution. Logical.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Tutorial 3 - Linux Interrupt Handling -

Chapter 4 : File Systems What is a file system?

Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

1 Threads, SMP, and Microkernels Chapter 4. 2 Process: Some Info. Motivation for threads! Two fundamental aspects of a “process”: Resource ownership Scheduling.

Instructor: Umar KalimNUST Institute of Information Technology Operating Systems Virtual Memory.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.

TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.

File System Implementation: beyond the user’s view A possible file system layout on a disk.

1 Soft Timers: Efficient Microsecond Software Timer Support For Network Processing Mohit Aron and Peter Druschel Rice University Presented By Jonathan.

User Level Interprocess Communication for Shared Memory Multiprocessor by Bershad, B.N. Anderson, A.E., Lazowska, E.D., and Levy, H.M.

CE6105 Linux 作業系統 Linux Operating System 許富皓. Chapter 2 Memory Addressing.

Informationsteknologi Friday, November 16, 2007Computer Architecture I - Class 121 Today’s class Operating System Machine Level.

Chapter 9: Virtual Memory. 9.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Feb 22, 2005 Chapter 9: Virtual Memory Background.

Threads CSCI 444/544 Operating Systems Fall 2008.

CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.

Building Secure Software Chapter 9 Race Conditions.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.

Operating Systems Review. Questions What are two functions of an OS? What “layer” is above the OS? What “layer” is below the OS?

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Operating Systems Review. Questions What are two functions of an OS? What “layer” is above the OS? What “layer” is below the OS?

ThreadsThreads operating systems. ThreadsThreads A Thread, or thread of execution, is the sequence of instructions being executed. A process may have.

Computer System Architectures Computer System Software

1 Lecture 4: Threads Operating System Fall Contents Overview: Processes & Threads Benefits of Threads Thread State and Operations User Thread.

Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.

Processes and Threads Processes have two characteristics: – Resource ownership - process includes a virtual address space to hold the process image – Scheduling/execution.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 6 System Calls OS System.

Scheduler Activations: Effective Kernel Support for the User- Level Management of Parallelism. Thomas E. Anderson, Brian N. Bershad, Edward D. Lazowska,

Operating Systems CSE 411 Multi-processor Operating Systems Multi-processor Operating Systems Dec Lecture 30 Instructor: Bhuvan Urgaonkar.

1 Linux Operating System 許富皓. 2 Memory Addressing.

1 Comp 104: Operating Systems Concepts Files and Filestore Allocation.

Computer Studies (AL) Memory Management Virtual Memory I.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 10: Virtual Memory Background Demand Paging Page Replacement Allocation of.

Chapter 4: Threads. 4.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th edition, Jan 23, 2005 Chapter 4: Threads Overview Multithreading.

1 Lecture 4: Threads Advanced Operating System Fall 2010.

Computer Systems Week 14: Memory Management Amanda Oddie.

Lecture 14 Page 1 CS 236 Online Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different.

Caches Where is a block placed in a cache? –Three possible answers  three different types AnywhereFully associativeOnly into one block Direct mappedInto.

Chapter 4: Threads. 4.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th edition, Jan 23, 2005 Chapter 4: Threads Overview Multithreading.

Why Do We Need Files? Must store large amounts of data. Information stored must survive the termination of the process using it - that is, be persistent.

Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.

Processes & Threads Introduction to Operating Systems: Module 5.

SCSC 455 Computer Security Chapter 3 User Security.

Copyright © 2007 by Curt Hill Interrupts How the system responds.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Race conditions and synchronization issues Exploiting UNIX.

I/O Software CS 537 – Introduction to Operating Systems.

Operating System Concepts

Threads, SMP, and Microkernels Chapter 4. Processes and Threads Operating systems use processes for two purposes - Resource allocation and resource ownership.

Chapter 9: Virtual Memory

Chapter 4 Threads.

Threads and Locks.

Department of Computer Science University of California, Santa Barbara

Threads, SMP, and Microkernels

Page Replacement.

Multithreaded Programming

Operating Systems Lecture 1.

CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs

CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs

CS703 – Advanced Operating Systems

Landon Cox January 17, 2018 January 22, 2018

OPERATING SYSTEMS MEMORY MANAGEMENT BY DR.V.R.ELANGOVAN.

Race Condition Vulnerability

Presentation transcript:

1 Multiprocessors May Reduce System Dependability Under File-based Race Condition Attacks Jinpeng Wei, Calton Pu Georgia Institute of Technology Atlanta, Georgia, USA Presented on DSN-DCCS June 28, 2007

2 System Dependability: Brief History Traditionally focused on availability and reliability (have redundancy, keep running) Traditionally focused on availability and reliability (have redundancy, keep running) Now security and safety are urgent issues Now security and safety are urgent issues  Widely deployed software systems have bugs  Software systems are under constant attacks. intended behavior != actual behavior

3 Multiprocessors: Boon or Bane? Definitely they are good Definitely they are good  Better performance  Lower power consumption  More secure: Intrusion detection systems Unless they fall in bad hands... Unless they fall in bad hands...  Attacker can become faster in a race condition attack, thus making the system less secure.

4 It ’ s Much Easier to Attack TOCTTOU Vulnerabilities on Multiprocessors

5 Agenda Background about TOCTTOU and the vulnerabilities with vi and gedit Background about TOCTTOU and the vulnerabilities with vi and gedit A probabilistic model for TOCTTOU attacks A probabilistic model for TOCTTOU attacks Probability analysis of exploiting vi Probability analysis of exploiting vi Probability and event analysis of exploiting gedit Probability and event analysis of exploiting gedit Parallelizing the attack program on a multiprocessor Parallelizing the attack program on a multiprocessor Conclusion Conclusion

6 Definition and Scope TOCTTOU – Time of Check To Time of Use, a kind of file-based race condition in Unix-style systems TOCTTOU – Time of Check To Time of Use, a kind of file-based race condition in Unix-style systems Check – Establish some precondition (invariant) about a file Check – Establish some precondition (invariant) about a file Use – Operate on the file assuming that the invariant is still valid Use – Operate on the file assuming that the invariant is still valid

7 Sendmail Example /home/abc/mailbox a symbolic link? No Yes Error handling Check Use Run as root Run as root Operate on files owned by normal users Operate on files owned by normal users Establishing the invariant: /home/abc/mailbox is NOT a symbolic link Assuming the invariant still holds Append the new message to /home/abc/mailbox

8 Sendmail Vulnerability: An Example Append the new message to /home/abc/mailbox (actually to /etc/passwd) Delete /home/abc/mailbox Create symbolic link mailbox, pointing to /etc/passwd Sendmail (root)Attacker (abc) Time No Effect: The attacker may get unauthorized root access! /home/abc/mailbox a symbolic link? Check Use

9 TOCTTOU Vulnerabilities in Red Hat Linux 9 [1] ApplicationTOCTTOU errors Possible exploit vi Changing the owner of /etc/passwd to an ordinary user gedit Changing the owner of /etc/passwd to an ordinary user rpm Running arbitrary command emacs Making /etc/shadow readable by an ordinary user Tested: ~130 utilities from /bin, /sbin and /usr/bin [1] Jinpeng Wei, Calton Pu. FAST’05

10 vi 6.1 Vulnerability The vulnerability happens when The vulnerability happens when  vi is run by root  vi is editing a file owned by a normal user (also the attacker)  vi saves the file being edited TOCTTOU pair: TOCTTOU pair:  open creates a new file for writing  chown changes the owner of the new file to the normal user. while ((fd = mch_open((char *)wfname, …) …… chown((char*)wfname, st_old.st_uid, st_old.st_gid);

11 gedit Vulnerability Similar to the vi vulnerability Similar to the vi vulnerability  gedit is run by root  gedit is editing a file owned by a normal user (also the attacker)  gedit saves the file being edited TOCTTOU pair: TOCTTOU pair:  rename creates a new file  chown changes the owner of the new file to the normal user. /*create and write to temp_filename …*/ if (rename (temp_filename, real_filename) != 0){ … } chmod (real_filename, st.st_mode); chown (real_filename, st.st_uid, st.st_gid);

12 An Attack Program 1 while (!finish){ 2 if (stat(filename, &stbuf) == 0){ 3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0)) 4 { 5 unlink(filename); 6 symlink(“/etc/passwd”, filename); 7 finish = 1; 8 } 9 } 10 } Observation: the file owner temporarily becomes root during the vulnerability window. Observation: the file owner temporarily becomes root during the vulnerability window. Simple, brutal-force. Simple, brutal-force.

13 Event Analysis of vi Exploit on a Uniprocessor

14 Agenda Background about TOCTTOU and the vulnerabilities with vi and gedit Background about TOCTTOU and the vulnerabilities with vi and gedit A probabilistic model for TOCTTOU attacks A probabilistic model for TOCTTOU attacks Probability analysis of exploiting vi Probability analysis of exploiting vi Probability and event analysis of exploiting gedit Probability and event analysis of exploiting gedit Parallelizing the attack program on a multiprocessor Parallelizing the attack program on a multiprocessor Conclusion Conclusion

15 Some Definitions for the Probabilistic Model Window of Vulnerability: the time interval between check and use (e.g., ). Window of Vulnerability: the time interval between check and use (e.g., ). Attack pattern: {detection} + [attack] Attack pattern: {detection} + [attack]  detection can be run 1 or more times  attack can be run 0 or 1 time Three process states Three process states  Suspended: unable to run (relinquishing CPU)  Scheduled: able to run (using CPU)  Finished: finished the attack actions (symbolic link replacement, etc)

16 A Probabilistic Model for Predicting TOCTTOU Attack Success Rate P (attack succeeds) on a multiprocessor is not less than that on a uniprocessor, because of the second part of the equation. P (attack succeeds) on a multiprocessor is not less than that on a uniprocessor, because of the second part of the equation.  P (attack scheduled | victim not suspended) = 0 on a uniprocessor Success gain due to the second part may become significant when P (victim suspended) is very small. Success gain due to the second part may become significant when P (victim suspended) is very small. But wait, can the attack finished? But wait, can the attack finished? P (attack succeeds) = P (victim suspended) * P (attack scheduled | victim suspended) * P (attack finished | victim suspended) + P (victim not suspended) * P (attack scheduled | victim not suspended) * P (attack finished | victim not suspended)

17 P (attack finished | victim not suspended) D = detection time, L = t2 - t1 (Laxity) D = detection time, L = t2 - t1 (Laxity) t1 = the earliest start time for a successful detection t1 = the earliest start time for a successful detection t2 = the latest start time for a successful detection leading to a successful attack t2 = the latest start time for a successful detection leading to a successful attack The answer =

18 Agenda Background about TOCTTOU and the vulnerabilities with vi and gedit Background about TOCTTOU and the vulnerabilities with vi and gedit A probabilistic model for TOCTTOU attacks A probabilistic model for TOCTTOU attacks Probability analysis of exploiting vi Probability analysis of exploiting vi Probability and event analysis of exploiting gedit Probability and event analysis of exploiting gedit Parallelizing the attack program on a multiprocessor Parallelizing the attack program on a multiprocessor Conclusion Conclusion

19 Success Rate of Attacking Vi on a Uniprocessor Between 1.5% and 18% Between 1.5% and 18% Approaches 0 when file size approaches 0 Approaches 0 when file size approaches 0 while ((fd = mch_open((char *)wfname, …) /* writing to wfname using fd…*/ chown((char*)wfname, st_old.st_uid, st_old.st_gid);

20 100% for files with size >=20KB 100% for files with size >=20KB L >> D L >> D Success Rate of Attacking Vi on a SMP 96% for files with 1 byte 96% for files with 1 byte L and D become close L and D become close Attack may not be scheduled Attack may not be scheduled

21 Agenda Background about TOCTTOU and the vulnerabilities with vi and gedit Background about TOCTTOU and the vulnerabilities with vi and gedit A probabilistic model for TOCTTOU attacks A probabilistic model for TOCTTOU attacks Probability analysis of exploiting vi Probability analysis of exploiting vi Probability and event analysis of exploiting gedit Probability and event analysis of exploiting gedit Parallelizing the attack program on a multiprocessor Parallelizing the attack program on a multiprocessor Conclusion Conclusion

22 gedit Attack Success Rates 0 on a uniprocessor 0 on a uniprocessor 83% on a SMP (2 x 1.7G CPUs, 512MB memory) 83% on a SMP (2 x 1.7G CPUs, 512MB memory) The delay between rename and chmod is an important contributing factor to L. It is 43 microseconds on the SMP. The delay between rename and chmod is an important contributing factor to L. It is 43 microseconds on the SMP. Table: L and D values in microseconds (SMP) if (rename (temp_filename, real_filename) != 0){ … } chmod (real_filename, st.st_mode); chown (real_filename, st.st_uid, st.st_gid);

23 gedit Attack on a Multicore 2 x 3.2G dual-core CPUs with HT, 4GB memory 2 x 3.2G dual-core CPUs with HT, 4GB memory No success at all ! No success at all ! Why ? Why ?

24 New Observation on the gedit Attack CPU is a necessary but not sufficient condition for a successful attack CPU is a necessary but not sufficient condition for a successful attack Semaphore on the shared file is another necessary condition Semaphore on the shared file is another necessary condition  The race between gedit and the attacker for the semaphore decides the attack result The delay between stat and unlink of the attacker is 17 us. The delay between stat and unlink of the attacker is 17 us. The delay between rename and chmod is now only 3 us. The delay between rename and chmod is now only 3 us. There is a 6 us trap (due to page fault) within the 17 us of the attacker. There is a 6 us trap (due to page fault) within the 17 us of the attacker.

25 Rethinking the gedit Attack Program There is a trap when the true branch of statement 3 is taken, because unlink is never invoked before by the attacker … There is a trap when the true branch of statement 3 is taken, because unlink is never invoked before by the attacker … Linux kernel dynamically maps shard libraries (e.g., libc) into an application ’ s address space. Linux kernel dynamically maps shard libraries (e.g., libc) into an application ’ s address space. 1 while (!finish){ 2 if (stat(filename, &stbuf) == 0){ 3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0)) 4 { 5 unlink(filename); 6 symlink(“/etc/passwd”, filename); 7 finish = 1; 8 } 9 } 10 }

26 The Solution … Proactively invoke unlink to remove the trap. Proactively invoke unlink to remove the trap. 1 while (!finish){ /* argv[1] holds filename */ 2 if (stat(argv[1], &stbuf) == 0){ 3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0)) 4 { 5 fname = argv[1]; 6 finish = 1; 7 } 8 else 9 fname = dummy; unlink(fname); 12 symlink(“/etc/passwd”, fname); 13 }//if stat(argv[1].. 14 }//while

27 New gedit Attack on a Multicore Started to see successes. Started to see successes. The trap disappeared The trap disappeared

28 Agenda Background about TOCTTOU and the vulnerabilities with vi and gedit Background about TOCTTOU and the vulnerabilities with vi and gedit A probabilistic model for TOCTTOU attacks A probabilistic model for TOCTTOU attacks Probability analysis of exploiting vi Probability analysis of exploiting vi Probability and event analysis of exploiting gedit Probability and event analysis of exploiting gedit Parallelizing the attack program on a multiprocessor Parallelizing the attack program on a multiprocessor Conclusion Conclusion

29 Pipelining Attack Program symlink needs not wait on the completion of unlink, so we can make the attack program multi-threaded symlink needs not wait on the completion of unlink, so we can make the attack program multi-threaded The attack can finish much earlier when the shared file is large, giving advantage when the vulnerability window is very small The attack can finish much earlier when the shared file is large, giving advantage when the vulnerability window is very small

30 Conclusion A probabilistic model for TOCTTOU attacks which captures the reduced system dependability by the deployment of multiprocessors A probabilistic model for TOCTTOU attacks which captures the reduced system dependability by the deployment of multiprocessors Probability measurement and event analysis of exploiting vi and gedit, which corroborate the model and demonstrate how the attacker may utilize multiprocessors to achieve higher success rate. Probability measurement and event analysis of exploiting vi and gedit, which corroborate the model and demonstrate how the attacker may utilize multiprocessors to achieve higher success rate.