FAST '08 – Abstract
Pp. 189–206 of the Proceedings
Awarded Best Paper!
Portably Solving File TOCTTOU Races with Hardness Amplification
Dan Tsafrir, IBM T.J. Watson Research Center; Tomer Hertz, Microsoft Research; David Wagner, University of California, Berkeley; Dilma Da Silva, IBM T.J. Watson Research Center
Abstract
The file-system API of contemporary systems makes programs vulnerable
to TOCTTOU (time of check to time of use) race conditions.
Existing solutions either help users to detect these problems (by
pinpointing their locations in the code), or prevent the problem
altogether (by modifying the kernel or its API).
The latter alternative is not prevalent, and the former is just the
first step: programmers must still address TOCTTOU flaws within the
limits of the existing API with which several important tasks can
not be accomplished in a portable straightforward manner.
Recently, Dean and Hu addressed this problem and suggested a
probabilistic hardness amplification approach that alleviated the
matter.
Alas, shortly after, Borisov et al. responded with an attack termed
“filesystem maze” that defeated the new approach.
We begin by noting that mazes constitute a generic way to
deterministically win many TOCTTOU races (gone are the days when the
probability was small).
In the face of this threat, we (1) develop a new user-level defense
that can withstand mazes, and (2) show that our method is undefeated
even by much stronger hypothetical attacks that provide the adversary
program with ideal conditions to win the race (enjoying complete and
instantaneous knowledge about the defending program's actions and
being able to perfectly synchronize accordingly).
The fact that our approach is immune to these unrealistic attacks suggests
it can be used as a simple and portable solution to a large class of
TOCTTOU vulnerabilities, without requiring modifications to the
underlying operating system.
- View the full text of this paper in HTML and PDF.
Listen to the presentation in
MP3 format.
The Proceedings are published as a collective work, © 2008 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
|