Wikipedia

Time-of-check to time-of-use: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Example section is sufficient - full example not necessary in lead
Citation bot (talk | contribs)
Bots
5,865,892 edits
m Alter: template type. Add: citeseerx, journal. Removed URL that duplicated unique identifier. Removed parameters. Some additions/deletions were actually parameter name changes. | You can use this bot yourself. Report bugs here. | Activated by User:AManWithNoPlan | via #UCB_webform
Line 57:
In the case of BSD 4.3 mail utility and mktemp(),<ref>{{cite web|url=http://linux.die.net/man/3/mktemp|title=mktemp(3) - Linux man page}}</ref> the attacker can simply keep launching mail utility in one process, and keep guessing the temporary file names and keep making symlinks in another process. The attack can usually succeed in less than one minute.
 
Techniques for single-stepping a victim program include file system mazes<ref>{{cite webjournal |last1=Borisov |first1=Nikita |last2=Johnson |first2=Rob |last3=Sastry |first3=Naveen |last4=Wagner |first4=David |year=2005 |title=Fixing races for fun and profit: how to abuse atime |workjournal=Proceedings of the 14th Conference on [[USENIX]] Security Symposium, Baltimore (MD), July 31 – August 5, 2005 |volume=14 |pages=303–314 |url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.7757 }}</ref> and algorithmic complexity attacks.<ref>{{cite web |author1=Xiang Cai |author2=Yuwei Gui |last3=Johnson|first3=Rob |date=2009-03-06 |title=Exploiting Unix File-System Races via Algorithmic Complexity Attacks |work=Proceedings of the [[IEEE]] Symposium on Security and Privacy, Berkeley (CA), May 17–20, 2009 |url=http://www.cs.sunysb.edu/~rob/papers/races2.pdf |format=PDF}}</ref> In both cases, the attacker manipulates the OS state to control scheduling of the victim.
 
File system mazes force the victim to read a directory entry that is not in the OS cache, and the OS puts the victim to sleep while it is reading the directory from disk. Algorithmic complexity attacks force the victim to spend its entire scheduling quantum inside a single system call traversing the kernel's hash table of cached file names. The attacker creates a very large number of files with names that hash to the same value as the file the victim will look up.
Line 65:
Despite conceptual simplicity, TOCTOU race conditions are difficult to avoid and eliminate. One general technique is to use [[exception handling]] instead of checking, under the philosophy of EAFP – "It is easier to ask for forgiveness than permission" rather than LBYL – "look before you leap" – in this case there is no check, and failure of assumptions to hold are detected at use time, by an exception.<ref>{{cite book |last=Martelli |first=Alex |authorlink=Alex Martelli |year=2006 |title=Python in a Nutshell |edition=2nd |chapter=Chapter 6: Exceptions |publisher=[[O'Reilly Media]] |isbn=978-0-596-10046-9 |page=134}}</ref>
 
In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions.<ref>{{cite webjournal |last1=Dean |first1=Drew |last2=Hu |first2=Alan J. |year=2004 |title=Fixing Races for Fun and Profit: How to use access(2) |workjournal=Proceedings of the 13th USENIX Security Symposium, San Diego (CA), August 9–13, 2004 |pages=195–206 |url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8647 }}</ref>
 
Since this impossibility result, libraries for tracking [[file descriptor]]s and ensuring correctness have been proposed by researchers.<ref>{{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |authorlink4=Dilma Da Silva |date=June 2008 |title=Portably Preventing File Race Attacks with User-Mode Path Resolution |work=Technical Report RC24572, [[Thomas J. Watson Research Center|IBM T. J. Watson Research Center]], Yorktown Heights (NY) |url=http://domino.watson.ibm.com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/c4028924309762d18525746e004a4feb}}</ref>
Line 73:
[[File locking]] is a common technique for preventing race conditions for a single file, but it does not extend to the file system namespace and other metadata, nor does locking work well with networked filesystems, and cannot prevent TOCTOU race conditions.
 
For setuid binaries a possible solution is to use the <code>seteuid()</code> system call to change the effective user and then perform the <code>open()</code>. Differences in <code>setuid()</code> between operating systems can be problematic.<ref>{{cite web |author1=Hao Chen |last2=Wagner |first2=David |last3=Dean |first3=Drew |date=2002-05-12 |title=Setuid Demystified |url=http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf |format=PDF}}</ref>
 
==See also==
Line 82:
 
==Further reading==
* {{cite web |last1=Bishop |first1=Matt |last2=Dilger |first2=Michael |year=1996 |title=Checking for Race Conditions in File Accesses |work=Computing Systems |volume=9 |number=2 |pages=131–152 |url=http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf |format=PDF}}
* {{cite web |last1=Tsafrir |first1=Dan |last2=Hertz |first2=Tomer |last3=Wagner |first3=David |last4=Da Silva |first4=Dilma |year=2008 |title=Portably Solving File TOCTTOU Races with Hardness Amplification |work=Proceedings of the 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose (CA), February 26–29, 2008 |pages=189–206 |url=http://www.cs.berkeley.edu/~daw/papers/tocttou-fast08.pdf |format=PDF}}
 
[[Category:Computer security exploits]]
Retrieved from "https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use"