TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study
Jinpeng Wei and Calton Pu Georgia Institute of Technology {weijp,calton}@cc.gatech.edu
mailbox and replacing it with a symbolic link to ABSTRACT /etc/passwd. If the replacement is completed within the Due to their non-deterministic nature, Time of Check window and the new messages happen to be syntacti- To Time of Use (TOCTTOU) vulnerabilities in Unix- cally correct /etc/passwd entries with root access, then style file systems (e.g., Linux) are difficult to find and sendmail may unintentionally give unauthorized root prevent. We describe a comprehensive model of access to a normal user (the attacker). TOCTTOU vulnerabilities, enumerating 224 file sys- TOCTTOU vulnerabilities are a very significant tem call pairs that may lead to successful TOCTTOU problem. For example, between 2000 and 2004, we attacks. Based on this model, we built kernel monitor- found 20 CERT [14] advisories on TOCTTOU vulner- ing tools that confirmed known vulnerabilities and dis- abilities. They cover a wide range of applications from covered new ones (in often-used system utilities such system management tools (e.g., /bin/sh, shar, tripwire) as rpm, vi, and emacs). We evaluated the probability of to user level applications (e.g., gpm, Netscape successfully exploiting these newly discovered vulner- browser). A similar list compiled from BUGTRAQ abilities and analyzed in detail the system events dur- [16] mailing list is shown in Table 1. The CERT advi- ing such attacks. Our performance evaluation shows sories affected many operating systems, including: that the dynamic monitoring of system calls introduces Caldera, Conectiva, Debian, FreeBSD, HP-UX, Immu- non-negligible overhead in microbenchmark of those nix, MandrakeSoft, RedHat, Sun Solaris, and SuSE. In file system calls, but their impact on application 11 of the CERT advisories, the attacker was able to benchmarks such as Andrew and PostMark is only a gain unauthorized root access. TOCTTOU vulnerabili- few percent. ties are widespread and cause serious consequences. Categories and Subject Descriptors Table 1: Reported TOCTTOU Vulnerabilities D.4.3: File Systems Management – Access methods; Domain Application Name D.4.5: Reliability –verification; D.4.6: Security and Enterprise Apache, bzip2, gzip, getmail, Imp- Protection – Access controls. applications webmail, procmail, openldap, openSSL, Kerberos, OpenOffice, General Terms StarOffice, CUPS, SAP, samba Reliability, Experimentation, Security. Administrative at, diskcheck, GNU fileutils, log- tools watch, patchadd Keywords Device Esound, glint, pppd, Xinetd Race detection managers Development make, perl, Rational ClearCase, 1 Introduction tools KDE, BitKeeper, Cscope TOCTTOU (Time Of Check To Time Of Use) is a well At the same time, TOCTTOU vulnerabilities are known security problem [1] in file systems with weak also a very challenging research problem due to their synchronization semantics (e.g., Unix file system). A non-deterministic nature. They are very hard to detect TOCTTOU vulnerability requires two steps [2]. First, a because the occurrence of a TOCTTOU vulnerability vulnerable program checks for a file status. Second, the requires a pair of certain system calls along the execu- program operates on the file assuming the original file tion path of an application combined with appropriate status remained invariant during execution. For exam- environmental conditions. So they are more elusive ple, sendmail may check for a specific attribute of a than say, a buffer overflow bug which is only a single mailbox (e.g., it is not a symbolic link) in step one and point of failure. TOCTTOU vulnerabilities are also then append new messages (as root) in step two. Be- hard to exploit, because they are essentially race condi- cause the two steps are not executed atomically, a local tion errors so whether an attack can succeed relies on attacker (mailbox owner) can exploit the window of whether the attacking code is executed within the usu- vulnerability between the two steps by deleting his/her ally narrow window of vulnerability (on the order of
USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 155 milliseconds as shown in section 4.2). Furthermore, conditions about the file can be established either ex- normal static program analysis tools for detecting race plicitly (e.g., access or stat) or implicitly (e.g., open or conditions cannot be applied directly, since the attack creat). Therefore, the TOCTTOU name is more re- programs are usually unavailable until the vulnerabili- strictive than our model. Our model includes the origi- ties are discovered. nal check-use system call pairs [2][3], plus use-use The first contribution of this paper is a model-based pairs. For example, a program may attempt to delete a approach to detecting TOCTTOU attacks in Unix-style file (instead of checking whether a file exists) before operating systems. During the 10 years since the first creating it. Consequently, the pair
156 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association FileCreationSet = {creat, open, mknod, rename} Group 2 preconditions can be established by CU- LinkCreationSet = {link, symlink, rename} calls in the CheckSet, or by CU-calls in the CreationSet DirCreationSet = {mkdir, rename} (a file/directory/link exists after it is created), or by CU-calls in the NormalUseSet. These are followed by Definition 2: RemoveSet contains system calls that corresponding Use-calls. The link-related calls are remove objects from the file system. It can be further paired with both FileNormalUseSet and DirNor- divided into three corresponding subsets: malUseSet because a link can point to either a regular RemoveSet = FileRemoveSet LinkRemoveSet file or a directory. DirRemoveSet, where FileRemoveSet = {unlink, rename} Group 2 = (CheckSet u NormalUseSet) (FileCrea- LinkRemoveSet = {unlink, rename} tionSet u FileNormalUseSet) (DirCreationSet u DirRemoveSet = {rmdir, rename} DirNormalUseSet) (LinkCreationSet u FileNor- malUseSet) (LinkCreationSet u DirNormalUseSet) Definition 3: NormalUseSet contains system calls (FileNormalUseSet u FileNormalUseSet) (Dir- which work on existing storage objects and do not re- NormalUseSet u DirNormalUseSet). move them. We subdivide them into two sets: NormalUseSet = FileNormalUseSet DirNormalUse- Intuitively, Group 1 Group 2 completes the set of Set, where TOCTTOU pairs. A formal proof of the completeness FileNormalUseSet = {chmod, chown, truncate, of CUU is out of the scope of this paper and is ad- utime, open, execve} dressed in another paper [20]. DirNormalUseSet = {chmod, chown, utime, mount, In summary, Table 2 shows these TOCTTOU pairs chdir, chroot, pivot_root} along two dimensions: the use of a storage object and whether the check was an explicit check or an implicit Definition 4: CheckSet contains the system calls check. A total of 224 pairs have been identified using that establish preconditions about a file pathname ex- this table. plicitly. CheckSet = {stat, access} Table 2: Classification of TOCTTOU Pairs Using the above definitions, we divide the CUSet Use Explicit check Implicit check and UseSet into subsets: Create a CheckSet u FileRemoveSet u CUSet = CheckSet CreationSet RemoveSet regular file FileCreationSet FileCreationSet NormalUseSet Create a di- CheckSet u DirRemoveSet u UseSet = CreationSet NormalUseSet rectory DirCreationSet DirCreationSet Create a link CheckSet u LinkRemoveSet u Based on the precondition established by the CU- LinkCreationSet LinkCreationSet call, we can divide the TOCTTOU pairs into two Read/Write/ CheckSet u (FileCreationSet u groups: Group 1 creates a new object and Group 2 op- Execute or FileNormalUse- FileNormalUseSet) erates on an existing object. We say that TOCTTOU Change the Set (LinkCreationSet u vulnerabilities are not due to bad programming prac- attribute of a FileNormalUseSet) tices, since in Group 1 the CU-call establishes the pre- regular file (FileNormalUseSet u condition that the file pathname does not exist and in FileNormalUseSet) Group 2 the CU-call establishes the precondition that Access or CheckSet u (DirCreationSet u the file pathname exists. change the DirNormalUse- DirNormalUseSet) Group 1 preconditions can be established either ex- attribute of a Set (LinkCreationSet u plicitly by CU-calls in the CheckSet, or implicitly by directory DirNormalUseSet) CU-calls in the RemoveSet. These are followed by (DirNormalUseSet u Use-calls in a CreationSet of the corresponding type, DirNormalUseSet) e.g., the creation of a directory is only paired with a system call on a directory. 2.3 Known TOCTTOU Examples Group 1 = (CheckSet u CreationSet) (FileRemoveSet We applied our model to known TOCTTOU vulner- u FileCreationSet) (LinkRemoveSet u LinkCrea- abilities and show the results in Table 3. tionSet) (DirRemoveSet u DirCreationSet).
USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 157 Table 3: Real world applications known to Table 4: Directories Immune to TOCTTOU have TOCTTOU vulnerability /bin /root /usr/dict /var/db Applications TOCTTOU Classification /boot /proc /usr/kerberos /var/empty pair /dev /sbin /usr/libexec /var/ftp BitKeeper, Cscope
158 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association templates. This analysis proceeds in several rounds as if the Use-Call is chmod, then a value of 0666 for follows. the mode argument falls into this category because Round 1: First, the Analyzer sorts the log records this chmod can be used to make /etc/passwd by file name, grouping its operation records such as the world-writable. On the other hand, a mode value of names and locations (sequence numbers) of system 0600 is not profitable because it will not give the calls. attacker any permission on a file that he/she does not own. In this case the TOCTTOU pair in ques- Round 2: Second, system calls on each file are tion is not a TOCTTOU vulnerability. paired to facilitate the matching of TOCTTOU pairs. x Check the file pathname. For the chmod example, Round 3: Third, system call pairs are compared to if the file is stored under a directory writable by an the list in Table 2. When a TOCTTOU pair is found, an ordinary user, like his/her home directory, then XSLT template is generated to extract the correspond- continue to the next step; otherwise the ing log records from the original log file. TOCTTOU pair is not a TOCTTOU vulnerability. Round 4: Fourth, the log records related to x TOCTTOU pairs found are extracted into a new file for Check the effective user id. Continuing with the further inspection. chmod example, if the effective user id is 0 (root), then report this TOCTTOU pair as a vulnerability; otherwise, the TOCTTOU pair is not a vulnerabil- ity. It should be noted that the steps described above give only an outline of the Inspection process based on one attack scenario for one particular TOCTTOU pair. For different TOCTTOU pair and different attack scenario, the details of these checks can be different. For exam- ple, the same TOCTTOU pair as the above with a mode value of 0644 and the same other conditions is also considered a vulnerability because it can be exploited to make /etc/shadow readable by an attacker. Thus the Inspector requires a template (or signature) for each kind of attack scenario. Table 5 shows the set of tem- plates used by the current implementation of the In- spector. For brevity, this table does not show the file pathname and effective user id which are checked in every template. This set may be expanded as new at- tack scenarios are found. Table 5: Templates used in the Inspector Use-Call Arguments to Sample attack scenarios check chmod mode Gain unauthorized ac- Figure 1: Framework for TOCTTOU Detec- cess rights to /etc/passwd tion chown owner, group Change the ownership of /etc/passwd The fourth component of our framework is the In- chroot Access information un- spector, which identifies the actual TOCTTOU vulner- der a restricted directory ability in the program being monitored. The Inspector execve Run arbitrary code links the TOCTTOU pair with associated environ- open mode, flag Mislead privileged pro- mental information, including file pathname, related grams to do things for arguments, process id, program name, user id, group id, the attacker, or steal sen- effective user id, and effective group id. The Inspector sitive information decides whether an actual exploitation can occur. truncate length Erase the content of /etc/passwd For each TOCTTOU pair, the Inspector does the following steps: x Check the arguments of the calls to see if these calls can be profitable to an attacker. For example,
USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 159 4 Analysis of Real TOCTTOU Attacks Table 6: Potential TOCTTOU Vulnerabilities 4.1 Experimental Setup Application TOCTTOU errors Possible exploit vi
160 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association 4.2.2 An Experiment to Exploit rpm 4.2.3 Event Analysis of rpm Exploit The second part of our evaluation is to measure the ef- To fully understand what happened during the fectiveness of an attack trying to exploit this apparently TOCTTOU attack, we analyze the important system small window of vulnerability. This experiment runs a events during the experiment. Figure 2 shows the user-level attack process in a loop. It constantly checks events in a successful exploit of rpm. In Figure 2, the for the existence of a file name with the prefix dark (upper) line shows the events of the rpm process, “/var/tmp/rpm-tmp”. A victim process (rpm run by and the lower line shows the events of the attacker root) installs a software package and creates a script process. The attacker process stays in a loop looking file of that name. Note that rpm inserts a random suf- for file names of interest. When the rpm process cre- fix as protection against direct guessing, but a directory ates the file (just before the 200 msec clock tick), the listing command bypasses the need to guess the full attacker detects it and appends the chown line to the pathname. If a file name of the expected prefix ap- temporary script and goes back to the loop. pears, the attacker appends the command “chown at- The two timelines show that even though the CPU tacker:attacker /etc/passwd” to it. If the append consumption during the window of vulnerability is happens during the window of vulnerability, then the relatively small, the rpm process causes interrupts that child process of rpm will execute the script and the in- lengthen the window, represented by dotted upper line. serted command line, making the attacker the owner of Specifically, there are at least two scheduling actions /etc/passwd. When rpm finishes, the test program within the rpm vulnerability window: rpm creates a checks whether the attacker has become the owner of new process to execute bash, which creates another /etc/passwd. new process to execute an external executable file Due to the non-deterministic nature of these ex- (/sbin/install-info). Each process creation causes rpm periments, we ran the experiment 100 times in a batch. to yield CPU to the scheduler. Figure 2 shows that the After running several batches, we found a surprisingly attacker process is scheduled as a result and the attack high average number of 85 successful attacks per succeeds. Consequently, the two scheduling actions batch, considering the apparently narrow window of created by rpm make the attack more likely to succeed vulnerability shown in Table 7. because rpm yields the CPU in the window of vulner- ability.
bash reads rpm-tmp.49755 rpm rpm creates ends rpm-tmp.49755; rpm starts vulnerability bash reads rpm-tmp.49755 bash begins ends install- info chown
ls –l … ls –l … ls –l ; grep append to rpm- ls; grep; ls; grep; tmp.49755 grep grep
rpm rpm vulnerability window attacker attack
0 50 100 150 200 250 300 350
Time (milliseconds) Figure 2: Event Analysis of rpm Exploit
USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 161 In our experiments, we also found another reason Since chown happens after the file is completed, more attacks succeed than indicated by the short win- the window of vulnerability v follows approximately dow of vulnerability. Specifically, we observed that in the same incremental growth of 9msec/MB (see Figure some cases the appending to the script file by the at- 4). Figure 3 shows the window of vulnerability to be tacker happened after the second open of rpm (outside relatively long compared to the total “save” time. It the window), but the attack still succeeds. In these gradually grows to about 80% of the “save” total cases, we believe that append started after bash opened elapsed time for 10MB files. This experiment tells us the script file (the second open of rpm), but it finished that vi is more vulnerable when the file being edited is before bash reached the end of the script. Since bash larger. For a small file (100KB size) the window of interprets the script line by line, there is a good chance vulnerability is still about 5% of the “save” time. of executing the newly appended line. These two ex- planations (CPU yielding and slow interpretation of the 100.00% script) help explain the lengthening of the window of vulnerability and the high attack success rate of 85%. 80.00%
4.3 vi 6.1 Vulnerability 60.00%
The Unix “visual editor” vi is a widely used text editor 40.00% in many UNIX-style environments. For example, Red Hat Linux distribution includes vi 6.1. Using our tools, 20.00% we found potential TOCTTOU vulnerabilities in vi 6.1. 0.00% Specifically, if vi is run by root to edit a file owned by 012345678910 a normal user, then the normal user may become the File size in MB owner of sensitive files such as /etc/passwd. The problem can be summarized as follows. When Figure 3: Window of Vulnerability Divided by vi saves the file being edited, it first renames the origi- Total Save Time, as a Function of File Size nal file as a backup, then creates a new file with the
original name. The new file is closed after all the con- 120 tent in the edit buffer is written. If vi is running as root, Vi vulnerability window size the initial owner and group of this new file is root, so vi 100 Vi save window size needs to change the owner and group of the new file to s 80 d
its original owner and group. This forms an e 60 chown> window of vulnerability every time vi saves s i l the file. During this window, if the file name can be i M 40 changed to a link to /etc/passwd, then vi can be tricked into changing the ownership of /etc/passwd to the nor- 20 mal user. 0 4.3.1 Baseline Analysis of vi 01234567891011 Using the same method of the rpm study, we measured File size in MB the percentage of time when vi is running in its vulner- ability window as it saves the file being edited. In vi, Figure 4: Vulnerability and Save Window Sizes this depends on the edited file size. In our experi- of vi ments, we bypass the user typing time to avoid the variations caused by human participation. 4.3.2 An Experiment to Exploit vi Unlike a batch program such as rpm, which is easily We define the save window t as the time vi spends run from a script, vi is designed for interactive use by in processing one “save” command, and the vulnerabil- humans. To eliminate the influence of human “think ity window v during which TOCTTOU attack may time” in the experiments, we wrote another program to happen. We measured 60 consecutive “saves” of the interact with vi by sending it commands that simulate file for t, and timestamp the open and chown system human typing. This reduces the run-time and the win- calls for v. Since the “save” time of a file depends on dow of vulnerability to minimum. The experiment the file size, we did a set of experiments on different runs a vi (as root) editing a file owned by the attacker file sizes. Figure 4 shows the time required for a in the attacker’s home directory. The editing consists “save” command for files of sizes from 100KB to of either appending or deleting a line from the file and 10MB. We found a per file fixed cost that takes about the experiment ends with vi exiting. 14msec for the small (100KB) file and an incremental cost of 9msec/MB (for files of size up to 10MB). 162 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association The attack consists of a tight loop constantly check- have been used. To relieve memory pressure, we ing (by stat-ing) whether the owner of the file has be- added a 2-second delay between successive vi invoca- come root, which signifies the start of the window of tions. vulnerability. Once this happens, the attacker replaces Figure 5 shows the success rate for file sizes rang- the file with a symbolic link to /etc/passwd (as shown ing from 100KB to 1MB averaged over 500 rounds. in Figure 7). When vi exits, it should change the own- We see that for small files, there is a rough correlation ership of /etc/passwd to the attacker. The attacker pro- between the size of window of vulnerability and suc- gram checks for this ownership change. If vi finishes cess rate. Although not strictly linear, the larger the and /etc/passwd is still owned by root, the attack fails. file being edited, the larger is the probability of suc- Contrary to the surprisingly high probability of suc- cessfully attacking vi. cess in the rpm case, we found a relatively low prob- Figure 6 shows the results for file sizes ranging ability of success in the vi case (see Figure 5 and from 2MB to 4MB, with a stepping size of 20KB, av- Figure 6), despite a relatively wide window of vulner- eraged over 100 rounds. Unlike the dominantly in- ability. This leads to a more careful analysis of the creasing success rate for small file sizes, we found system events during the attack. apparently random fluctuations on success rates be- 4.3.3 Event Analysis of vi Exploit tween file sizes of 2MB and 3MB, probably due to race Although the window of vulnerability may be wide, an conditions. For example, files of size 2MB have suc- attack will succeed only when: cess rate of 4%, which is lower than the 8% success 1. vi has called open to create the new file, rate of file size 500KB in Figure 5. The growing suc- 2. vi has not called chown, cess trend resumes after files become larger than 3MB. 3. vi relinquishes CPU, voluntarily or involuntarily, 40.00% and the attacker is scheduled to run, and Baseline vulnerability 35.00% 4. the attacker process finishes the file redirection 500 rounds attack success rate during this run. 30.00% The first two conditions have been studied in the 25.00% baseline experiment. The fourth condition depends on 20.00% the implementation of the attacker program. For ex- 15.00% ample, if the attacker program is written in C instead of 10.00% shell script, it will be less likely to be interrupted. 5.00% The third condition is the least predictable. In our 0.00% experiments, we have found several reasons for vi to 100 200 300 400 500 600 700 800 900 1000 relinquish CPU. First, vi may suspend itself to wait for File size in KB I/O. This is likely since the window of vulnerability includes the writing of the content of the file, which Figure 5: Success Rate of Attacking vi (small may result in disk operations. Second, vi may use up its files) CPU slice. Third, vi may be preempted by higher prior- ity processes such as ntpd, kswapd, and bdflush kernel 100 rounds attack success rate, 5 neighbors average threads. Even after vi relinquishes CPU, the second 80.00% Baseline vulnerability 70.00% part of the condition (that the attacker process is sched- 100 rounds attack success rate uled to run) still depends on other processes not being 60.00% ready to run. 50.00% This analysis illustrates the highly non- 40.00% deterministic nature of a TOCTTOU attack. To 30.00% achieve a statistically meaningful evaluation, we repeat 20.00% the experiments and compute the probability of attack 10.00% success. To make the experimental results reproduci- 0.00% ble, we eliminated all the confounding factors that we 2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 4 have identified. For example, in each round of experi- File size in MB ments, we ran vi at least 50 times, each time on a dif- ferent file, to minimize file caching effects. We also Figure 6: Success Rates of Attacking vi (large observed memory allocation problems after large files files) USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 163 create empty file write; … write write; close chown unlink; stat; … stat stat symlink stat; … vi vi vulnerability window attacker attack 0 20 40 60 80 100 120 Time (miliseconds) Figure 7: Event Analysis of the vi Exploit 4.4 Other Vulnerabilities TOCTTOU vulnerability has been reported in BUGTRAQ [17]. In our experiments, we identified 5 TOCTTOU pairs Overall, we consider the CUU model-based detec- (see Table 6) and confirmed 3 of them through direct tion framework to be a success. With a modest number attacks (rpm, vi, and emacs). Due to its similarity to the of experiments, we confirmed known TOCTTOU vul- vi experiments (Section 4.3), the analysis of the attack nerabilities and found several previously unreported of emacs is omitted here. ones. However, this offline analysis only covers the We also tried to attack gedit, the fourth vulnerabil- execution paths exercised by the workloads, so it can- ity discovered, but we found a very low probability of not guarantee the absence of TOCTTOU vulnerabilities successful attack. Like vi, gedit becomes vulnerable when none is reported. when it saves the file being edited. Unlike vi, gedit In this paper, our research focuses on the scheduling writes to a temporary scratch file, then renames the aspects of TOCTTOU attacks in uniprocessor environ- scratch file to the original file name, and calls chown. ments. Multiprocessors, hyper-threaded uniprocessors, Thus the window of vulnerability is between the re- or multi-core processors are beyond the scope of this name and the directly following chown, a very short paper and subject of ongoing research. time that reduces the probability of successful attack. A full analysis of gedit experiments is beyond the scope 5 Evaluation of Detection Method of this paper. The fifth vulnerability is the Enlightened Sound 5.1 Discussion of False Negatives Daemon (esd), which creates a directory /tmp/.esd then As mentioned in Section 4.1, our tools are not designed changes the access mode of this directory to 777, giv- for exhaustive testing. While we attempted to generate ing full permissions (read/write/execute) to all users. representative workloads for the 130 programs tested, Besides, this directory is under /tmp, a place where any we cannot guarantee coverage of all execution paths. user can create files or directories. So a possible attack The coverage problem may be alleviated by improve- is to create a symbolic link /tmp/.esd before the mkdir ments in the testing technology and documentation. call of esd and let the link point to some directories owned by the running user (such as his/her home direc- More fundamentally, the CUU-Model covers pairs tory). If esd does not check whether its mkdir call suc- of file system calls, assuming that a precondition is es- ceeds, then it will change the access mode of the tablished by the CU-call before the Use-call relies on it. running user’s home directory to 777. Then an attacker In programs where preconditions are not explicitly es- has full access to the running user’s home directory. tablished (a bad programming practice), e.g., a program We postponed our experiments on esd since this creates a temporary file under a known name without first stat-ing the existence of the file, exploits may 164 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association happen outside the CUU model. The problem of com- from other processes during the run, we start Red Hat plex interactions among more than a pair of system in single-user mode (without X window system and calls is an open research question. (Currently, there are daemon processes such as apmd, crond, cardmgr, sys- no known examples of such complex vulnerabilities.) logd, gpm, cups and sendmail). To get an estimation of 5.2 Discussion of False Positives the overhead of our system, we run this experiment on a Linux box without modifications to get the baseline Tool-based detection of vulnerabilities typically does results, and then a Linux box with our monitoring tools not achieve 100% precision. The framework described (without the Analyzer and the Inspector which are used in Section 3 is no exception. There are some technical offline). For the latter case, we ran the experiment un- sources of false positives: der two different directories to see the influence of file 1. Incomplete knowledge of search space: The list of pathname to the overhead. The total running time of immune directories (Table 4) is not complete be- these five stages for the experiments is shown in Figure cause of the dynamic changes to system state (e.g. 8 and Table 8. newly created root-owned directories under The results show a relatively higher overhead for /usr/local), which leads to false positives. mkdir, copy and stat when the benchmark is run under 2. Artifacts of test environment: If the test cases an ordinary user’s home directory (denoted Vulnerable themselves uses /tmp or the home directory of an Dir in Figure 8 and Table 8). But when the benchmark ordinary user, our tools have to report related is run under /root (denoted Immune Dir in Figure 8 and TOCTTOU pairs, which are false positives. For Table 8), the overhead becomes much lower (dropping example, the initial test case for cpio uses a tempo- from 144% to 14% for stat). This difference shows that rary directory /tmp/cpio, so the tools reported a printks in the kernel and the Collector daemon process USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 165 Table 8: Andrew Benchmark Results (msec) Functions Original Modified Linux Modified Linux Linux Immune Dir Vulnerable Dir Time Overhead Time Overhead mkdir 2.8 3.0 4.1 r0.06 r0.10 7.1% r0.05 46% copy 59.2 64.8 80.8 r0.49 r2.2 9.5% r0.46 36% stat 61.1 69.4 149.3 r0.55 r0.41 14% r3.5 144% grep 543.1 576.2 645.3 r2.4 r5.9 6.1% r3.7 19% compile 20,668 20,959 21,311 r66 r90 1.4% r195 3.1% Figure 8: Andrew Benchmark Results 6 Related Work settings, such as file access prediction in mobile com- The impression that TOCTTOU vulnerabilities are due puting [18][19]. In the particular area of software secu- to bad programming practices is probably created by rity, dynamic monitors observe application execution to the patches and solutions suggested in advisories and find software bugs. These tools can be further classified reports on TOCTTOU exploits from US-CERT [14], into dynamic online analysis tools and post mortem CIAC [15] and BUGTRAQ [16]. For example, many analysis tools. Eraser [12] is an online analysis tool of the reported problems link temporary files to another that uses lockset analysis to find race conditions (un- file to be manipulated. Examples of TOCTTOU pairs synchronized access to shared variables) in a multi- are 166 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association and serious. We describe the CUU model and frame- Temporary File Race Vulnerabilities. In Proceedings of work to detect TOCTTOU vulnerabilities. The model the 10th USENIX Security Symposium, Washington DC, consists of 224 pairs of dangerous file system calls (the August 2001. TOCTTOU pairs) and we implemented the detection [6] Drew Dean and Alan J. Hu. Fixing Races for Fun and Profit: How to use access(2). In Proceedings of the 13th framework for offline analysis of TOCTTOU vulner- USENIX Security Symposium, San Diego, CA, August abilities. The CUU model is programming language- 2004. independent. The software tools work without changes [7] Dawson Engler, Benjamin Chelf, Andy Chou, and Seth or access to application source code. Hallem. Checking System Rules Using System-Specific, Using offline analysis, we confirmed known Programmer-Written Compiler Extensions. In Proceed- TOCTTOU attacks such as esd [17]. Running a rela- ings of Operating Systems Design and Implementation (OSDI), September 2000. tively modest set of experiments (about 130 system [8] Dawson Engler, Ken Ashcraft. RacerX: Effective, Static utility programs), we also found and confirmed previ- Detection of Race Conditions and Deadlocks. Proceed- ously unreported TOCTTOU vulnerabilities in (the ings of the Nineteenth ACM Symposium on Operating unmodified, original version of) rpm, emacs and vi. Systems Principles (SOSP'2003). To understand better TOCTTOU vulnerabilities, we [9] J. H. Howard, M. L. Kazar, S. G. Menees, D. A. Nichols, recorded and analyzed in detail the main events in the M. Satyanarayanan, R. N. Sidebotham, and M. J. West. attack scenarios. These analyses support a quantitative Scale and performance in a distributed file system, Transactions on Computer Systems, vol. 6, pp. 51-81, evaluation of the likelihood of success for each attack February 1988. (ranging from very unlikely in the gedit case to highly [10] Calvin Ko, George Fink, Karl Levitt. Automated Detec- likely in the rpm case at 85%). This evaluation is a tion of Vulnerabilities in Privileged Programs by Execu- non-trivial task for non-deterministic concurrent pro- tion Monitoring. Proceedings of the 10th Annual grams. We also measured and found modest perform- Computer Security Applications Conference, page 134- ance overhead of our tools by running the Andrew and 144. PostMark benchmarks (a few percent additional over- [11] PostMark benchmark. head for application level benchmarks). http://www.netapp.com/tech_library/3022.html [12] Stefan Savage, Michael Burrows, Greg Nelson, Patrick The CUU model-based analysis of TOCTTOU vul- Sobalvarro, and Thomas Anderson. Eraser: A Dynamic nerabilities also suggests online defense mechanisms Data Race Detector for Multithreaded Programs. ACM similar to pseudo-transactions [13]. This is a topic of Transactions on Computer Systems, Vol. 15, No. 4, No- active research and beyond the scope of this paper. vember 1997, Pages 391–411. [13] Eugene Tsyrklevich and Bennet Yee. Dynamic detection 8 Acknowledgement and prevention of race conditions in file accesses. In Proceedings of the 12th USENIX Security Symposium, This work was partially supported by NSF/CISE IIS pages 243–256, Washington, DC, August 2003. and CNS divisions through grants CCR-0121643, IDM- [14] United States Computer Emergency Readiness Team, 0242397 and ITR-0219902. We also thank the anony- http://www.kb.cert.org/vuls/ mous FAST reviewers for their insightful comments. [15] U.S. Department of Energy Computer Incident Advisory Capability. http://www.ciac.org/ciac/ [16] BUGTRAQ Archive 9 References http://msgs.securepoint.com/bugtraq/ [1] R. P. Abbott, J.S. Chin, J.E. Donnelley, W.L. Konigs- [17] BUGTRAQ report RHSA-2000:077-03: esound contains ford, S. Tokubo, and D.A. Webb. Security Analysis and a race condition. http://msgs.securepoint.com/bugtraq/ Enhancements of Computer Operating Systems. NBSIR [18] Ahmed Amer and Darrell D. E. Long. Noah: Low-cost 76-1041, Institute of Computer Sciences and Technol- file access prediction through pairs. In Proceedings of ogy, National Bureau of Standards, April 1976. the 20th IEEE International Performance, Computing [2] Matt Bishop and Michael Dilger. Checking for Race and Communications Conference (IPCCC '01), April Conditions in File Accesses. Computing Systems, 2001. 9(2):131–152, Spring 1996. [19] Tsozen Yeh, Darrell D. E. Long, and Scott Brandt. Per- [3] Matt Bishop. Race Conditions, Files, and Security Flaws; forming file prediction with a program-based successor th or the Tortoise and the Hare Redux. Technical Report model. In Proceedings of the 9 IEEE International 95-8, Department of Computer Science, University of Symposium on Modeling, Analysis, and Simulation of California at Davis, September 1995. Computer and Telecommunication Systems (MASCOTS [4] Hao Chen, David Wagner. MOPS: an Infrastructure for '01), pages 193~202, Cincinnati, OH, August 2001. Examining Security Properties of Software. In Proceed- [20] Calton Pu, Jinpeng Wei. A theoretical study of ings of the 9th ACM Conference on Computer and Com- TOCTTOU problem modeling. In preparation. munications Security (CCS), pages 235--244, Washington, DC, November 2002. [5] Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman. RaceGuard: Kernel Protection From USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 167