TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study Jinpeng Wei and Calton Pu Georgia Institute of Technology {weijp,calton}@cc.gatech.edu mailbox and replacing it with a symbolic link to ABSTRACT /etc/passwd. If the replacement is completed within the Due to their non-deterministic nature, Time of Check window and the new messages happen to be syntacti- To Time of Use (TOCTTOU) vulnerabilities in Unix- cally correct /etc/passwd entries with root access, then style file systems (e.g., Linux) are difficult to find and sendmail may unintentionally give unauthorized root prevent. We describe a comprehensive model of access to a normal user (the attacker). TOCTTOU vulnerabilities, enumerating 224 file sys- TOCTTOU vulnerabilities are a very significant tem call pairs that may lead to successful TOCTTOU problem. For example, between 2000 and 2004, we attacks. Based on this model, we built kernel monitor- found 20 CERT [14] advisories on TOCTTOU vulner- ing tools that confirmed known vulnerabilities and dis- abilities. They cover a wide range of applications from covered new ones (in often-used system utilities such system management tools (e.g., /bin/sh, shar, tripwire) as rpm, vi, and emacs). We evaluated the probability of to user level applications (e.g., gpm, Netscape successfully exploiting these newly discovered vulner- browser). A similar list compiled from BUGTRAQ abilities and analyzed in detail the system events dur- [16] mailing list is shown in Table 1. The CERT advi- ing such attacks. Our performance evaluation shows sories affected many operating systems, including: that the dynamic monitoring of system calls introduces Caldera, Conectiva, Debian, FreeBSD, HP-UX, Immu- non-negligible overhead in microbenchmark of those nix, MandrakeSoft, RedHat, Sun Solaris, and SuSE. In file system calls, but their impact on application 11 of the CERT advisories, the attacker was able to benchmarks such as Andrew and PostMark is only a gain unauthorized root access. TOCTTOU vulnerabili- few percent. ties are widespread and cause serious consequences. Categories and Subject Descriptors Table 1: Reported TOCTTOU Vulnerabilities D.4.3: File Systems Management – Access methods; Domain Application Name D.4.5: Reliability –verification; D.4.6: Security and Enterprise Apache, bzip2, gzip, getmail, Imp- Protection – Access controls. applications webmail, procmail, openldap, openSSL, Kerberos, OpenOffice, General Terms StarOffice, CUPS, SAP, samba Reliability, Experimentation, Security. Administrative at, diskcheck, GNU fileutils, log- tools watch, patchadd Keywords Device Esound, glint, pppd, Xinetd Race detection managers Development make, perl, Rational ClearCase, 1 Introduction tools KDE, BitKeeper, Cscope TOCTTOU (Time Of Check To Time Of Use) is a well At the same time, TOCTTOU vulnerabilities are known security problem [1] in file systems with weak also a very challenging research problem due to their synchronization semantics (e.g., Unix file system). A non-deterministic nature. They are very hard to detect TOCTTOU vulnerability requires two steps [2]. First, a because the occurrence of a TOCTTOU vulnerability vulnerable program checks for a file status. Second, the requires a pair of certain system calls along the execu- program operates on the file assuming the original file tion path of an application combined with appropriate status remained invariant during execution. For exam- environmental conditions. So they are more elusive ple, sendmail may check for a specific attribute of a than say, a buffer overflow bug which is only a single mailbox (e.g., it is not a symbolic link) in step one and point of failure. TOCTTOU vulnerabilities are also then append new messages (as root) in step two. Be- hard to exploit, because they are essentially race condi- cause the two steps are not executed atomically, a local tion errors so whether an attack can succeed relies on attacker (mailbox owner) can exploit the window of whether the attacking code is executed within the usu- vulnerability between the two steps by deleting his/her ally narrow window of vulnerability (on the order of USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 155 milliseconds as shown in section 4.2). Furthermore, conditions about the file can be established either ex- normal static program analysis tools for detecting race plicitly (e.g., access or stat) or implicitly (e.g., open or conditions cannot be applied directly, since the attack creat). Therefore, the TOCTTOU name is more re- programs are usually unavailable until the vulnerabili- strictive than our model. Our model includes the origi- ties are discovered. nal check-use system call pairs [2][3], plus use-use The first contribution of this paper is a model-based pairs. For example, a program may attempt to delete a approach to detecting TOCTTOU attacks in Unix-style file (instead of checking whether a file exists) before operating systems. During the 10 years since the first creating it. Consequently, the pair <delete, create> is systematic study of TOCTTOU problem by Bishop also considered a (broadly defined) TOCTTOU pair. [2][3], only partial solutions have been proposed for 2.2 An Enumeration of TOCTTOU pairs some instances of the problem [5][6][13]. In this paper, in Linux we develop a model and list a comprehensive enumera- tion of TOCTTOU vulnerabilities for the Linux virtual We apply this model (called CUU) to the concrete file system. To the best of our knowledge, this is the situation of analyzing TOCTTOU problems in Linux. most complete study of TOCTTOU problem so far. To get a complete list of TOCTTOU pairs, we first find The second contribution of the paper is a systematic the complete CUSet (the set of CU-calls) and UseSet search for potential TOCTTOU vulnerabilities in Linux (the set of Use-Calls). We select these two sets of ker- system utility programs. We implemented model-based nel calls from the functional specification of Linux file software tools that are able to detect previously re- system. We started from file system calls that require a ported TOCTTOU vulnerabilities as well as finding pathname as input, and then filtered out those that are some unknown ones (e.g., in the rpm software distribu- unlikely to be leveraged in a TOCTTOU attack. For tion program, the vi/vim and emacs editors). We con- example, swapon does not follow symbolic links so it ducted a detailed experimental study of successfully is not included in the UseSet (Here we assume that all exploiting these vulnerabilities and analyze the signifi- TOCTTOU attacks based on swapon are symbolic link cant events during a TOCTTOU attack against the na- kind attack). Finally we got the following CUSet and tive binaries of rpm and vi. By repeating the UseSet: experiments, we also evaluated the probability of these x CUSet = { access, stat, open, creat, mknod, link, events happening, as well as the success rate of these symlink, mkdir, unlink, rmdir, rename, execve, non-deterministic TOCTTOU attacks. These analyses chmod, chown, truncate, utime, chdir, chroot, provide a quantitatively better understanding of pivot_root, mount } TOCTTOU attacks. x UseSet = { creat, mknod, mkdir, rename, link, The rest of the paper is organized as follows. Sec- symlink, open, execve, chdir, chroot, pivot_root, tion 2 summarizes the CUU model of TOCTTOU vul- mount, chmod, chown, truncate, utime } nerabilities. Section 3 describes a framework that Although some system calls may appear unlikely can- detects TOCTTOU vulnerabilities through monitoring didates, they have been included after careful analysis. of TOCTTOU pairs. Section 4 presents a detailed For example, mknod is in UseSet because it is able to analysis of events during the attacks on rpm and vi, in- create a new regular file, a function that is rarely cluding a study of attack success probability. Section 5 known. discusses the accuracy of the detection software tools This classification of CUSet and UseSet is not and shows the measured overhead incurred by the structured enough for a complete analysis because tools. Section 6 summarizes related work and Section some CU-calls and Use-calls are semantically unre- 7 concludes the paper. lated. For example, <creat, chdir> is not a meaningful pair because creat creates a regular file while chdir 2 The CUU Model of TOCTTOU expects a directory as argument. So we need to subdi- vide CUSet and UseSet so that a TOCTTOU pair at 2.1 Broad Definition of TOCTTOU least applies to the same kind of storage objects (e.g. A necessary condition for a TOCTTOU vulnerability to regular file, directory, or link). Thus we define the fol- happen is a pair of system calls (referred to as lowing sets. “TOCTTOU pair” in this paper) operating on the same Definition 1: CreationSet contains system calls that disk object using a file pathname. The first system call create new objects in the file system. It can be further (referred to as “CU-call”) establishes some precondi- divided into three subsets depending on the kind of ob- tions about the file (e.g., the file exists, the current user jects that the system call creates: has write privilege to the file, etc). The second system CreationSet = FileCreationSet LinkCreationSet call (referred to as “Use-call”) operates on the file, DirCreationSet, where based on those preconditions. In our model, the pre- 156 FAST ’05: 4th USENIX Conference on File and Storage Technologies USENIX Association FileCreationSet = {creat, open, mknod, rename} Group 2 preconditions can be established by CU- LinkCreationSet = {link, symlink, rename} calls in the CheckSet, or by CU-calls in the CreationSet DirCreationSet = {mkdir, rename} (a file/directory/link exists after it is created), or by CU-calls in the NormalUseSet. These are followed by Definition 2: RemoveSet contains system calls that corresponding Use-calls. The link-related calls are remove objects from the file system. It can be further paired with both FileNormalUseSet and DirNor- divided into three corresponding subsets: malUseSet because a link can point to either a regular RemoveSet = FileRemoveSet LinkRemoveSet file or a directory.