Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia."— Presentation transcript:

1 TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia

2 TOCTTOU Time OF Check To Time Of Use A time-of-check-to-time-of-use bug (TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check A TOCTTOU vulnerability requires two steps:  Vulnerable program checks for a file status.  The program operates on the file assuming the original file status remained invariant during execution

3 List Of Directories Owned By Root In LINUX

4 The CUU Model of TOCTTOU A necessary condition for a TOCTTOU vulnerability to happen is a pair of system calls (referred to as “TOCTTOU pair” in this paper) operating on the same disk object using a file pathname The first system call (referred to as “CU-call”) establishes some preconditions about the file (e.g., the file exists, the current user has write privilege to the file, etc). CUSet = { access, stat, open, creat, mknod, link, symlink, mkdir, unlink, rmdir, rename, execve, chmod, chown, truncate, utime, chdir, chroot, pivot_root, mount } The second system call (referred to as “Use-call”) operates on the file, based on those preconditions UseSet = { creat, mknod, mkdir, rename, link, symlink, open, execve, chdir, chroot, pivot_root, mount, chmod, chown, truncate, utime }

5 TOCTTOU pairs Definition 1: CreationSet contains system calls that create new objects in the file system. CreationSet = FileCreationSet U LinkCreationSet U DirCreationSet FileCreationSet = {creat, open, mknod, rename} LinkCreationSet = {link, symlink, rename} DirCreationSet = {mkdir, rename}

6 TOCTTOU pairs (cont.) Definition 2: RemoveSet contains system calls that remove objects from the file system. RemoveSet = FileRemoveSet U LinkRemoveSet U DirRemoveSet FileRemoveSet = {unlink, rename} LinkRemoveSet = {unlink, rename} DirRemoveSet = {rmdir, rename}

7 TOCTTOU pairs (cont.) Definition 3: NormalUseSet contains system calls which work on existing storage objects and do not remove them. NormalUseSet = FileNormalUseSet U DirNormalUse-Set FileNormalUseSet = {chmod, chown, truncate, utime, open, execve} DirNormalUseSet = {chmod, chown, utime, mount, chdir, chroot, pivot_root}

8 TOCTTOU pairs (cont.) Definition 4: CheckSet contains the system calls that establish preconditions about a file pathname explicitly. CheckSet = {stat, access}

9 CUset & UseSet CUSet = CheckSet U CreationSet U RemoveSet U NormalUseSet UseSet = CreationSet U NormalUseSet Based on the precondition established by the CUcall, we can divide the TOCTTOU pairs into two groups: Group 1 creates a new object  CU-call establishes the precondition that the file pathname does not exist Group 2 operates on an existing object  CU-call establishes the precondition that the file pathname exists

10

11 TOCTTOU Detection An actual TOCTTOU vulnerability consists of a victim program containing a TOCTTOU pair The attacker program attempts to access or modify the file being manipulated by the victim through shared access during the vulnerability window between the CU-call and Use-call

12 Model Based Detection Tool

13 Model Based Detection Tool(cont) The first component of our framework is a set of plug-in Sensor code in the kernel, placed in system calls listed in the CUSet and UseSet The second component of our framework is the Collector, which periodically empties the ring buffer (before it fills up) The third component of our framework is the Analyzer, which looks for TOCTTOU pairs that refer to the same file pathname The fourth component of our framework is the Inspector, which identifies the actual TOCTTOU vulnerability in the program being monitored

14 rpm 4.2 Temp File Vulnerability rpm is a popular software management tool for installing, uninstalling, verifying, querying, and updating software packages in Linux When rpm installs or removes a software package, it creates a temporary script file in directories such as /var/tmp or var/local/tmp Since the access mode of this file is set to 666 (world-writable), an attacker can insert arbitrary commands into this script Given the privileges required for installing software (usually root), this is a significant vulnerability The TOCTTOU pair involved is : the first open creates the script file for writing the script; and the second open is called in a child process to read and execute the script.

15

16 vi 6.1 Vulnerability When vi saves the file being edited, it first renames the original file as a backup, then creates a new file with the original name The new file is closed after all the content in the edit buffer is written If vi is running as root, the initial owner and group of this new file is root, so vi needs to change the owner and group of the new file to its original owner and group This forms an window of vulnerability every time vi saves the file During this window, if the file name can be changed to a link to /etc/passwd, then vi can be tricked into changing the ownership of /etc/passwd to the normal user

17

18 References http://www.usenix.org/events/fast05/tech/f ull_papers/wei/wei.pdf http://www.cc.gatech.edu/~weijp/Jinpeng_ Homepage_files/toctou-issse-camera.pdf http://www.wikipedia.org/ http://citeseerx.ist.psu.edu/viewdoc/summ ary?doi=10.1.1.138.3424

Download ppt "TOCTTOU Vulnerabilities in UNIX-Style File Systems BY: Mayank Ladoia."

Similar presentations

TOCTTOU Attacks Don Porter CS 380S

TOCTTOU Attacks Don Porter CS 380S
Operating System Type of Operating System

Operating System Type of Operating System
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 2)

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 2)
Operating system services Program execution I/O operations File-system manipulation Communications Error detection Resource allocation Accounting Protection.

Operating system services Program execution I/O operations File-system manipulation Communications Error detection Resource allocation Accounting Protection.
1 Introduction to UNIX Ke Liu

1 Introduction to UNIX Ke Liu
Exploring the UNIX File System and File Security

Exploring the UNIX File System and File Security
Files. System Calls for File System Accessing files –Open, read, write, lseek, close Creating files –Create, mknod.

Files. System Calls for File System Accessing files –Open, read, write, lseek, close Creating files –Create, mknod.
Lesson 22 – Introduction to Linux Systems Administration.

Lesson 22 – Introduction to Linux Systems Administration.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.

6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.
Linux Linux File System.

Linux Linux File System.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.

Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.
7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.

7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.
Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.

Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
1 SEEM3460 Tutorial Unix Introduction. 2 Introduction What is Unix? An operation system (OS), similar to Windows, MacOS X Why learn Unix? Greatest Software.

1 SEEM3460 Tutorial Unix Introduction. 2 Introduction What is Unix? An operation system (OS), similar to Windows, MacOS X Why learn Unix? Greatest Software.
Managing Software using RPM. ♦ Overview In Linux, Red Hat Package Manager referred as RPM is a tool used for managing software packages and its main function.

Managing Software using RPM. ♦ Overview In Linux, Red Hat Package Manager referred as RPM is a tool used for managing software packages and its main function.
1 THE UNIX FILE SYSTEM By Chokechai Chuensukanant ID 121779 COSC 513 Operating System.

1 THE UNIX FILE SYSTEM By Chokechai Chuensukanant ID COSC 513 Operating System.

Similar presentations

Ads by Google