Revision as of 09:32, 20 July 2011 edit Helpful Pixie Bot (talk \| contribs) Bots 571,497 edits m Dated {{Or}}. (Build p613) ← Previous edit		Revision as of 08:58, 5 September 2011 edit undo 84.45.45.93 (talk) →Preventing TOCTTOU: accessat doesn't exist, and the *at functions don't work that way anyway. Next edit →
Line 66: In the context of file system TOCTTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTTOU race conditions.<ref>[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8647 Dean, Drew; and Hu, Alan J.; 2004; ''Fixing races for fun and profit: How to use access(2)''; Proceedings of the 13th USENIX Security Symposium, San Diego (CA), August 9–13, 2004, pp. 195–206]</ref> ~~This~~Since ~~example~~this isimpossibility ~~safe from race conditions because the file name "file" is only looked up once. More elaborate~~result, libraries for tracking file descriptors and ensuring correctness have been proposed by researchers.<ref>[http://domino.watson.ibm.com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/c4028924309762d18525746e004a4feb Tsafrir, Dan; Hertz, Tomer; Wagner, David; and Da Silva, Dilma; 2008; "Portably preventing file race attacks with user-mode path resolution"; Technical Report RC24572, IBM T. J. Watson Research Center; June 2008, Yorktown Heights (NY)]</ref>▼ Since this impossibility result, most UNIX systems (including Linux and Solaris) have adopted variants of common file system calls that operate on file handles rather than file names. These calls end in the "at" suffix, such as <code>openat</code>, <code>statat</code>, etc. Because file handles are a private mapping to a file, they cannot be changed by another program and are not subject to race conditions with other applications. The example above can be rewritten using these calls to avoid a TOCTTOU race condition: ~~<source lang="c">~~ ~~fd = open("file", O_WRONLY);~~ ~~if (accessat(fd, W_OK) != 0) {~~ ~~exit(1);~~ } ~~write(fd, buffer, sizeof(buffer));~~ ~~</source>~~ ▲This example is safe from race conditions because the file name "file" is only looked up once. More elaborate libraries for tracking file descriptors and ensuring correctness have been proposed by researchers.<ref>[http://domino.watson.ibm.com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/c4028924309762d18525746e004a4feb Tsafrir, Dan; Hertz, Tomer; Wagner, David; and Da Silva, Dilma; 2008; "Portably preventing file race attacks with user-mode path resolution"; Technical Report RC24572, IBM T. J. Watson Research Center; June 2008, Yorktown Heights (NY)]</ref> An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a [[concurrency control]] abstraction for the OS, and can be used to prevent TOCTTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system<ref>[http://www.fsl.cs.sunysb.edu/docs/valor/valor_fast2009.pdf Spillane, Richard; Gaikwad, Sachin; Chinni, Manjunath; Zadok, Erez; and Wright, Charles P.; 2009; "Enabling transactional file access via lightweight kernel extensions"; Seventh USENIX Conference on File and Storage Technologies (FAST 2009), San Francisco (CA), February 24–27, 2009]</ref> and the TxOS kernel.<ref>[http://www.sigops.org/sosp/sosp09/papers/porter-sosp09.pdf Porter, Donald E.; Hofmann, Owen S.; Rossbach, Christopher J.; Benn, Alexander; and Witchel, Emmett; 2009; "Operating System Transactions"]; In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP '09), Big Sky (MT), October 11–14, 2009]</ref> [[Microsoft Windows]] has added transactions to its [[NTFS]] file system.<ref>Russinovich, Mark; and Solomon, David A.; 2009; Windows Internals; Microsoft Press</ref>

Time-of-check to time-of-use: Difference between revisions