Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

races

VIEWS: 5 PAGES: 16

  • pg 1
									S ECURE P ROGRAMMING T ECHNIQUES


                                   Race conditions

   • General terms

   • File access races

   • Network races

   • Multithreading

   • Signal handling races




M EELIS R OOS                                        1
S ECURE P ROGRAMMING T ECHNIQUES


                                   General terms

   • Race condition — correctness of the program depends on timing
     (race with an external entity)
       – Process scheduling can switch context any time, for any
         amount of time
       – Network is asynchronous by nature
   • Attacker can change scheduling — by causing load or just
     trying hard enough
   • Happens on unsynchronized use of shared resources
       – Race with untrusted processes
       – Race with trusted processes (locking bugs)
   • General solution: use atomic operations
   • Locking — tool for synchronization, usually between trusted
     processes

M EELIS R OOS                                                        2
S ECURE P ROGRAMMING T ECHNIQUES


                                   File access races

   • TOCTOU (Time Of Creation, Time Of Use) pattern in races:
      1. A program checks a property of a file, referencing the file by
         its name
      2. An attacker alters the meaning of the filename so that it
         refers to a different filesystem object
      3. The program later performs a filesystem operation using the
         same filename and assumes the previously checked property
         still holds

   • Properties can be about metainfo (owner, permissions, being
     symbolic link etc) or about changing the file itself (new file with
     the same name)




M EELIS R OOS                                                            3
S ECURE P ROGRAMMING T ECHNIQUES


                       Example: access() vs open()

   • lpr vulnerabilty in ancient Linux (1999)

for (int i=1; i < argc; i++) {
  /* make sure that the user can read the file,
   * then open it */
  if (!access(argv[i], O_RDONLY)) {
    fd = open(argv[i], O_RDONLY);
  }
  print(fd);
}




M EELIS R OOS                                        4
S ECURE P ROGRAMMING T ECHNIQUES


                                      Timing

   • Possible timing between lpr and attack code

  access("/tmp/attack")
                                   unlink("/tmp/attack")
                                   symlink("/etc/shadow", "/tmp/attack")
     open("/tmp/attack")




M EELIS R OOS                                                              5
S ECURE P ROGRAMMING T ECHNIQUES


                  Fix: switch UID-s, open only once

for (int i=1; i < argc; i++) {
  int caller_uid = getuid();
  int owner_uid = geteuid();
  /* set effective user id before opening the file */
  if (setresuid(-1, caller_uid, owner_uid) != 0) {
    exit(-1);
  }
  if (fd = open(argv[i], O_RDONLY);
  /* reset the effective user id to its original value */
  if (setresuid(-1, owner_uid, caller_uid) != 0) {
    exit(-1);
  }
  if (fd != -1) print(fd);
}


M EELIS R OOS                                          6
S ECURE P ROGRAMMING T ECHNIQUES


                                   File access races

   • Stealing a temporary file with loose permissions

   • Predictabilty of filenames in shared directories

   • Symlink attacks — make the filename point somewhere else
       – Between check and use
       – Even before — preparing symlinks with predictable names
         (either pointing somewhere or dangling)

   • Using up resources (allocate and reserve resources before use?)




M EELIS R OOS                                                          7
S ECURE P ROGRAMMING T ECHNIQUES


                             Predictable filenames

   • First, try to avoid creating files in publicly writable directories

   • If you still need to do it:
       – Avoid fixed names
       – Avoid weak randomness — process ID, current time, short
         random part of filename

   • Common example:
      RESULT=/tmp/myresult.$$
      do_cmd > $RESULT
      if ! grep Success: $RESULT; then exit 1; fi; done
      ...
      rm $RESULT

   • Find all bugs in this snippet!


M EELIS R OOS                                                             8
S ECURE P ROGRAMMING T ECHNIQUES


                           Fixing file access races

   • Avoid using publicly writable directories
       – TMP, TMPDIR; TEMP environment variables

   • Avoid temporary files at all when not needed — use pipe with
     one producer and only one consumer

   • Use any name only once
       – Open file and keep fd open
       – Perform further operations only on fd, not name — fchown,
         fchmod, fchdir, fstat
       – access() is usually bad
       – Unlinking filename might be a good idea to shorten the
         windows others might open it

   • Don’t reuse temporary filenames


M EELIS R OOS                                                        9
S ECURE P ROGRAMMING T ECHNIQUES


                 Creating a temporary file securely

   • Use strict file create to avoid existing files with same name you
     try
       – open(filename, O_RDWR | O_CREAT | O_EXCL, 0600)

   • Avoid symlinks
       – O_NOFOLLOW
       – or create a subdirectory, secure it and create your files there

   • Check return values and repeat until you got your file




M EELIS R OOS                                                             10
S ECURE P ROGRAMMING T ECHNIQUES


                   Temporary file library functions

   • Good:
       – mkstemp(char *template) — creates file, opens it and
         returns filled in name
       – mkdtemp(char *template) — creates a directory and
         returns filled in name

   • Weak:
       – FILE *tmpfile(void) — creates, opens and unlinks,
         misses O_EXCL
       – tempnam(char *dir, char *pfx) — TOCTOU possible;
         honours TMPDIR
       – tmpnam(char *s) — TOCTOU possible
       – mktemp(char *template) — TOCTOU again
       – GetTempFileName() — TOCTOU

M EELIS R OOS                                                  11
S ECURE P ROGRAMMING T ECHNIQUES


                                   Multithreading

   • Concurrent programs can share objects in memory
       – by using multithreading
       – by using explicitly shared memory between multiple
         processes
   • Shared structures must be accessed with some synchronization
     protocol to avoid corrupting the data
   • Bugs are frequent here because the model is hard for
     programmers ("locking bugs")
   • Most synchronization bugs are not exploitable as security bugs,
     but
       – Corruption of state may always lead to vulnerabilities
       – Availability is hit hard (hangs, crashes)
   • Language-agnostic (anywhere shared state is used)

M EELIS R OOS                                                          12
S ECURE P ROGRAMMING T ECHNIQUES


                                   Networking

   • Different streams and packets race with each other:
       – Different routes, router queues
       – Congestion control and retransmissions
       – Process scheduling on end nodes

   • Example: IRC channel takeovers

   • Example: AJAX and parallel queries
       – Synchronous and asynchronous XmlHttpRequest
       – Several requests in parallel are possible, depending on user
         actions




M EELIS R OOS                                                           13
S ECURE P ROGRAMMING T ECHNIQUES


                                   Signal handling

   • Completely asynchronous

   • Signal handler can do only a limited set of operations because
     of this

   • Lots of signals coming in quickly can uncover additional
     problems




M EELIS R OOS                                                         14
S ECURE P ROGRAMMING T ECHNIQUES


                     Example: signal handling race

#include        <signal.h>
#include        <syslog.h>
#include        <string.h>
#include        <stdlib.h>

void *global1, *global2;
char *what;

void sh(int dummy) {
  syslog(LOG_NOTICE,"%s\n",what);
  free(global2);
  free(global1);
  sleep(10);
  exit(0);
}

M EELIS R OOS                                        15
S ECURE P ROGRAMMING T ECHNIQUES


                Example: signal handling race (cont)

int main(int argc,char* argv[]) {
  what=argv[1];
  global1=strdup(argv[2]);
  global2=malloc(340);
  signal(SIGHUP,sh);
  signal(SIGTERM,sh);
  sleep(10);
  exit(0);
}




M EELIS R OOS                                          16

								
To top