STING: Finding Name Resolution Vulnerabilities in Programs Hayawardh Vijayakumar, Joshua Schiffman and Trent Jaeger Systems and Internet Infrastructure Security Laboratory, Department of Computer Science and Engineering, The Pennsylvania State University hvijay,jschiffm,tjaeger @cse.psu.edu f g Abstract the same object. When a program needs access to a re- source, it presents a name to a name server, which uses The process of name resolution, where names are re- a mechanism called name resolution to obtain the corre- solved into resource references, is fundamental to com- sponding resource. puter science, but its use has resulted in several classes While name resolution simplifies programming in of vulnerabilities. These vulnerabilities are difficult for many ways, its use has also resulted in several types programmers to eliminate because their cause is exter- of vulnerabilities that have proven difficult to eliminate. nal to the program: the adversary changes namespace Adversaries may control inputs to the name resolution bindings in the system to redirect victim programs to a process, such as namespace bindings, which they can resource of the adversary’s choosing. Researchers have use to redirect victims to resources of the adversaries’ also found that these attacks are very difficult to prevent choosing. Programmers often fail to prevent such at- systematically. Any successful defense must have both tacks because they fail to validate names correctly, fol- knowledge about the system namespace and the program low adversary-supplied namespace bindings, or lack in- intent to eradicate such attacks. As a result, finding and sight into which resources are accessible to adversaries. fixing program vulnerabilities to such as attacks is our Table1 lists some of the key classes of these vulnerabil- best defense. In this paper, we propose the STING test ities. engine, which finds name resolution vulnerabilities in programs by performing a dynamic analysis of name res- While a variety of system defenses for these attacks olution processing to produce directed test cases when- have been proposed, particularly for name resolution at- ever an attack may be possible. The key insight is that tacks based on race conditions [14, 20, 22, 39, 40, 48, 50– such name resolution attacks are possible whenever an 52, 57], researchers have found that such defenses are adversary has write access to a directory shared with the fundamentally limited by a lack of knowledge about the victim, so STING automatically identifies when such di- program [12]. Thus, the programmers’ challenge is to rectories will be accessed in name resolution to produce find such vulnerabilities before adversaries do. How- test cases that are likely to indicate a true vulnerability ever, finding such vulnerabilities is difficult because the if undefended. Using STING, we found 21 previously- vectors for name resolution attacks are outside the pro- unknown vulnerabilities in a variety of Linux programs gram. Table1 shows that adversaries may control names- on Ubuntu and Fedora systems, demonstrating that com- pace bindings to redirect victims to privileged resources prehensive testing for name resolution vulnerabilities is of their choice, using what we call improper binding at- practical. tacks or redirect victims to resources under the adver- saries’ control, using what we call improper resource at- tacks. Further, both kinds of attacks may leverage the 1 Introduction non-atomicity of various system calls to create races, such as the time-of-check-to-time-of-use (TOCTTOU) The association between names and resources is funda- attacks [6,38], which makes them even more difficult for mental to computer science. Using names frees computer victims to detect. programmers from working with physical references to Researchers have explored the application of dynamic resources, allowing the system to store resources in the and static analysis to detect namespace resolution at- way that it sees fit, and enables easy sharing of resources, tacks. Dynamic analyses [1, 32, 35, 36, 56] log observed where different programs may use the different names for system calls to detect possible problems, such as check- Attack CWE ID engine, which finds name resolution vulnerabilities in Improper Binding Attacks programs by performing a dynamic analysis of name res- UNIX Symlink Following CWE-61 olution processing to produce directed test cases when- UNIX Hard Link Following CWE-62 ever an attack may be possible. STING is an extension Improper Resource Attacks to a Linux Security Module [58] that implements the ad- Resource Squatting CWE-283 ditional methods described above to provide comprehen- Untrusted Search Path CWE-426 Attacks Caused by Either Bindings or Resources sive, system-wide testing for name resolution vulnera- TOCTTOU Race Condition CWE-362 bilities. Using STING, we found 21 previously-unknown name resolution vulnerabilities in 19 different programs, Table 1: Classes of name resolution attacks. ranging from startup scripts to mature programs, such as cups, to relatively new programs, such as x2go. We de- tail several bugs to demonstrate the subtle cases that can use pairs that may be used in TOCTTOU attacks. How- be found using STING. Tests were done on Ubuntu and ever, the existence of problems does not necessarily Fedora systems, where interestingly some bugs only ap- mean that the program is vulnerable. Many of the check- peared on one of the two systems because of differences use pairs found were not exploitable. Static analyses use in the access control policies that implied different ad- syntactic analyses [6,53] and/or semantic models of pro- versary access. grams to check for security errors [15, 44], sometimes This research makes the following novel contribu- focusing on race conditions [27]. These static analyses tions: do not model the system environment, however, so they often produce many false positives. In addition, several We find that name resolution attacks are always pos- • of these analyses result in false negatives as they rely sible whenever a victim resolves a name using a on simpler models of program behavior (e.g., finite state directory where its adversaries have permission to machines), limited alias analysis, and/or manual annota- create files and/or links, as defined in Section3. If a tions. victim uses such a directory in resolving a name, an The key insight is that such name resolution attacks adversary may redirect them to a resource of the ad- are possible only when an adversary has write access to versary’s choosing, compromising victims that use a directory shared with the victim. Using this write ac- such resources unwittingly. cess, adversaries can plant files with names used by vic- We develop a method for generating directed test tims or create bindings to redirect the victim to files of • cases automatically that uses a dynamic analysis to the adversaries’ choice. Chari et al. [14] demonstrated detect when an adversary could redirect a name res- that when victims use such bindings and files planted by olution in Section 4.1. adversaries attacks are possible, so they built a system mechanism to authorize the bindings used in name reso- We develop a method for system-wide test case pro- lution. However, we find that only a small percentage of • cessing that detects where victims are vulnerable to name resolutions are really accessible to adversaries and name resolution attacks, restores program state to most of those are defended by programs. Further, the continue testing, and manages the testing coverage solution proposed by Chari et al. is prone to false posi- in Section 4.2. tives, as any pure system solution is, because it lacks in- formation about the programs’ expected behaviors [12]. We implement a prototype system STING for Linux • Instead, we propose to test programs for name resolu- 3.2.0 kernel, and run STING on the current versions tion vulnerabilities by having the system assume the role of Linux distributions, discovering 21 previously- of an adversary, performing modifications that an adver- unknown name resolution vulnerabilities in 13 dif- sary is capable of, at runtime. Using the access control ferent programs. Perhaps even more importantly, policy and a list of adversarial subjects, the system can STING finds that 90% of adversary-accessible name determine whether an adversary has write access to a di- resolutions are defended by programs correctly, rectory to be used in a name resolution. If so, the sys- eliminating many false positives. tem prepares an attack as that adversary would and de- tect whether the program was exploited or immune to We envision that STING could be integrated into sys- the attack (e.g., did the program follow the symbolic link tem distribution testing to find programs that do not ef- created?). This is akin to directed black-box testing [23], fectively defend themselves from name resolution at- where a program is injected with a dictionary of com- tacks given that distribution’s access control policy be- monly known attacker inputs. fore releasing that distribution to the community of In this paper, we design and implement the STING test users. 2 Problem Definition unexpected binding to a resource the adversary controls. Instances of these attacks depend on the namespace. Processes frequently require system level resources like For example, the filesystem namespace is often exploited files, libraries, and sockets. Since the system’s manage- through malicious path bindings like symbolic links and ment of these objects is unknown to the process, names the creation of files with frequently used names. Con- are used as convenient references to the desired resource. sider a mail reader program running as root attempting A name resolution server is responsible for converting to check mail from /var/mail/root. Users in the mail the requested resource name to the desired object via a group are permitted to place files in this directory for the namespace binding. Typical namespaces in Unix-based program to read and send.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-