Understanding Security Vulnerabilities in File Systems Miao Cai∗ Hao Huang Jian Huang Nanjing University Nanjing University UIUC ABSTRACT There is no quantitative research demonstrating their root File systems have been developed for decades with the security- causes and consequences. Moreover, there is no study demon- critical foundation provided by operating systems. However, strating how malicious users exploit these vulnerabilities to they are still vulnerable to malware attacks and software successfully initiate the attacks, and pose a great threat to defects. In this paper, we undertake the first attempt to sys- the user data and even the safety of the whole system. tematically understand the security vulnerabilities in various In this paper, we conduct the first systematic study on the file systems. We conduct an empirical study of 157 real cases security vulnerabilities in Linux file systems. We study 157 reported in Common Vulnerabilities and Exposures (CVE). real-world cases related to file systems from the list of Com- We characterize the file system vulnerabilities in different mon Vulnerabilities and Exposures (CVE). These cases are dimensions that include the common vulnerabilities lever- committed from the year of 1999 to 2019, and cover a variety aged by adversaries to initiate their attacks, their exploitation of file systems that include eight on-disk fs implementations procedures, root causes, consequences, and mitigation ap- such as Ext4, XFS [38], and F2FS [18], two in-memory fs proaches. We believe the insights derived from this study like tmpfs, and the virtual file system (VFS). Note that our have broad implications related to the further enhancement study mainly focuses on the security aspects of the fs design of the security aspect of file systems, and the associated and implementation. We use the CVE list as our resource vulnerability detection tools. pool, because all the reported cases are confirmed by security experts, and they represent the real-world threat models. 1 INTRODUCTION In order to fully understand each security case, we de- File system (fs) is crucial to the data integrity and secu- velop a vulnerability analysis model, which includes three rity in modern computer systems. Although it has been major steps: vulnerability reproducing, attack exploitation, developed for decades with applying numerous data pro- and consequence confirmation. We use this analysis model tection techniques such as access control and sanity check- to guide our study of all the cases, and investigate the fs ing [6, 17, 20, 24, 25, 32], file systems are suffering from a vulnerabilities in different dimensions, including what are significant number of malware attacks, and they often fail their major consequences? what are the common root causes to protect users from severe damages, such as data loss and of these vulnerabilities? what are the popular fs components leakage, denial of service (DoS), systems crashes, and even that have been exploited by attackers? and how attackers full system compromise [15, 34, 36, 37]. leverage the fs features to initiate their attacks? Although prior research has performed intensive studies To be specific, we identify four major types of conse- on file systems bugs [16, 21, 29], bug-detection tools [27, 41– quences that include denial of service (DoS) (75%), data leak- 43], and formal verification for bug-free implementation [1, age (12%), access permission bypass (7%), and privilege esca- 3, 5, 33], few studies investigate their security vulnerabilities. lation (6%), in which the DoS is the major consequence of fs vulnerabilities. As for the root causes of these vulnerabilities, ∗The work was performed when the author was a visiting student in the Systems and Platform Research Group at UIUC. we find that they are mainly caused by sanity checking (45%), memory errors with fs data structures (23%), race condition Permission to make digital or hard copies of all or part of this work for in concurrency implementation (8%), and file permission personal or classroom use is granted without fee provided that copies are not (10%). These are the common issues that have been exploited made or distributed for profit or commercial advantage and that copies bear by attackers. Unfortunately, it is challenging to automatically this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with detect and fix many of them, especially for those that are credit is permitted. To copy otherwise, or republish, to post on servers or to closely related to high-level system semantic and specifica- redistribute to lists, requires prior specific permission and/or a fee. Request tions [13], such as sanity checking issues. permissions from [email protected]. Furthermore, as we map the fs vulnerabilities to fs core APSys ’19, August 19–20, 2019, Hangzhou, China components, including namespace management, inode man- © 2019 Association for Computing Machinery. agement, superblock management, block allocation, page ACM ISBN 978-1-4503-6893-3/19/08...$15.00 https://doi.org/10.1145/3343737.3343753 cache, file management, crash-safety model, permission model, APSys ’19, August 19–20, 2019, Hangzhou, China Miao Cai, Hao Huang, and Jian Huang Table 1: Summary of Linux fs vulnerabilities. In order to precisely categorize each CVE case, we manually Name Description Release Year #CVEs examine the committed report, problem description, and Ext4 A journaling fs with extents 2008 39 posted blogs following the approaches described in prior VFS Virtual file system 1995 37 bug-study work [11, 21]. For the cases whose source codes XFS A journaling fs created by SGI 1993 20 F2FS A flash-friendly fs 2013 15 are available, we also check the corresponding source codes Btrfs A copy-on-write based fs 2009 13 and the associated committed patches, and reproduce them procfs A virtual memory file system 2001 9 to further understand and confirm the vulnerability. Ext2 An extended fs 1993 6 Similar to prior characteristic studies that may suffer from Ext3 A journaling fs 2001 6 limitations on sampling, we take our best effort to collect the tmpfs A virtual memory fs 2001 5 ReiserFS A journaling fs created by Namesys 2001 4 vulnerabilities available in the CVE list. Given that we focus JFS A journaling fs created by IBM 1990 3 on the popular and representative file systems, we believe Total 157 that these limitations do not invalidate our study result. Also, we encourage readers to focus on the root causes behind and dentry management, we pinpoint that metadata man- each individual case rather than the precise numbers, since agement is the most vulnerable component in file systems, a single vulnerability could produce massive damages. which occupies 74% of the total fs vulnerabilities. As we ex- Vulnerability analysis model. To facilitate our study, pected, fs features could facilitate attackers to compromise we develop a vulnerability analysis model, which includes the file systems and even the entire computer systems. We three major steps: vulnerability reproducing, attack exploita- validate that adversaries usually exploit the unique fs fea- tion, and consequence confirmation, as described as follows. tures such as block management and data consistency model • Vulnerability reproducing. to increase the chances of successful attacks. For instance, To initiate a successful at- attackers would exploit the data inconsistency between page tack, the adversary has to verify the effectiveness of the cache and disk with hole punching operations to cause disk vulnerability, as it reveals the weakness of the file systems. data corruption in Ext4 (see CVE-2015-8839). We wish our Typical file system weaknesses include poor isolation be- findings could facilitate the file systems development onthe tween namespaces, and insufficient enforcement of file per- aspects of systems security and data protection, as well as mission model. In this step, we reproduce the vulnerabilities the associated vulnerability detection tools. according to the external references in the CVE. For each The rest of this paper is organized as follows. x 2 describes vulnerability, we generate a reproduction report which de- our study methodology. x 3 presents the consequences and scribes the conditions to trigger the specific vulnerability. • Attack exploitation. causes. We discuss how fs vulnerabilities are related to fs Adversary would combine various components in x 4, and present how attackers would exploit attack methods to conduct the attack. Typical attack methods fs features to initiate their attacks in x 5. x 6 presents the include heap spray, return oriented programming (ROP), and related work. We concludes the paper in x 7. buffer overflow. Similar to the vulnerability reproduction, we also generate a report for the attack exploitation, which 2 STUDY METHODOLOGY records the detailed attack methods of the exploitation and In this work, we focus on the study of the security vulner- adversary capability. abilities in widely used file systems. We collected the cases • Consequence confirmation. With attack exploitation, related to the file systems by searching the keywords of “file the adversary would initiate the attacks to the file systems systems” and fs names like “Ext4” via the search functionality and even the entire computer system. Typical consequences of CVE. We use the CVE cases as our study samples for two include denial of service, data leakage and loss, access per-