Content deleted Content added
Add a few notes about non-fs TOCTTOU races and file locking. |
m Fix a page link |
||
Line 77:
This example is safe from race conditions because the file name "file" is only looked up once. More elaborate libraries for tracking file descriptors and ensuring correctness have been proposed by researchers<ref>Tsafrir, Dan; Hertz, Tomer; Wagner, David and Da Silva, Dilma; 2008; [http://domino.watson.ibm.com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/c4028924309762d18525746e004a4feb "Portably preventing file race attacks with user-mode path resolution"]; Technical Report RC24572, IBM T. J. Watson Research Center; June 2008, Yorktown Heights, New York.</ref>.
An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a [[concurrency control]] abstraction for the OS, and can be used to prevent TOCTTOU races. While no production UNIX kernel has adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system<ref>Spillane, Richard; Gaikwad, Sachin; Chinni, Manjunath; Zadok, Erez and Wright, Charles P.; 2009; [http://www.fsl.cs.sunysb.edu/docs/valor/valor_fast2009.pdf "Enabling transactional file access via lightweight kernel extensions"]; Seventh USENIX Conference on File and Storage Technologies (FAST 2009)</ref> and the TxOS kernel<ref>Porter, Donald E.; Hofmann, Owen S.; Rossbach, Christopher J.; Benn, Alexander and Witchel, Emmett; 2009; [http://www.sigops.org/sosp/sosp09/papers/porter-sosp09.pdf "Operating System Transactions"]; In the Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP '09), Big Sky, MT, October 2009.</ref>. Microsoft Windows has added transactions to its NTFS file system<ref>Russinovich, Mark and Solomon, David A.; 2009; Windows Internals; Microsoft Press</ref>.
[[File locking]] is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, and cannot prevent TOCTTOU race conditions.
| |||