Post on 03-Jan-2016
1
Multiprocessors May Reduce System Multiprocessors May Reduce System Dependability Under File-based Race Dependability Under File-based Race
Condition AttacksCondition Attacks
Jinpeng Wei, Calton PuGeorgia Institute of Technology
Atlanta, Georgia, USA
Presented on DSN-DCCSJune 28, 2007
2
System Dependability: Brief System Dependability: Brief HistoryHistory
Traditionally focused on Traditionally focused on availabilityavailability and and reliabilityreliability (have redundancy, keep (have redundancy, keep running)running)
Now Now securitysecurity and and safetysafety are urgent are urgent issuesissues Widely deployed software systems have Widely deployed software systems have
bugsbugs Software systems are under constant Software systems are under constant
attacks. intended behavior attacks. intended behavior !=!= actual actual behaviorbehavior
3
Multiprocessors: Boon or Multiprocessors: Boon or Bane?Bane?
Definitely they are goodDefinitely they are good Better performanceBetter performance Lower power consumptionLower power consumption More secure: Intrusion detection systemsMore secure: Intrusion detection systems
Unless they fall in bad hands...Unless they fall in bad hands... Attacker can become faster in a Attacker can become faster in a race race
conditioncondition attack, thus making the attack, thus making the system system less secureless secure..
4
It’s Much Easier to Attack It’s Much Easier to Attack TOCTTOU Vulnerabilities on TOCTTOU Vulnerabilities on
MultiprocessorsMultiprocessors
0
20
40
60
80
100
120
vi gedit
Su
cces
s ra
te (
%)
Uniprocessor
Multiprocessor
5
AgendaAgenda
Background about TOCTTOU and the vulneBackground about TOCTTOU and the vulnerabilities with rabilities with vivi and and geditgedit
A probabilistic model for TOCTTOU attacksA probabilistic model for TOCTTOU attacks Probability analysis of exploiting Probability analysis of exploiting vivi Probability and event analysis of exploiting Probability and event analysis of exploiting
geditgedit Parallelizing the attack program on a multiParallelizing the attack program on a multi
processorprocessor ConclusionConclusion
6
Definition and ScopeDefinition and Scope TOCTTOUTOCTTOU – Time of Check To Time – Time of Check To Time
of Use, a kind of file-based race of Use, a kind of file-based race condition in Unix-style systemscondition in Unix-style systems
CheckCheck – Establish some – Establish some precondition (invariant) about a fileprecondition (invariant) about a file
UseUse – Operate on the file assuming – Operate on the file assuming that the invariant is still validthat the invariant is still valid
7
Sendmail ExampleSendmail Example
/home/abc/mailbox a symbolic link?
No
Yes Error handling Check
Use
Run as rootRun as root Operate on files owned by normal usersOperate on files owned by normal users
Establishing the invariant:
/home/abc/mailbox is NOT a symbolic link
Assuming the invariant still holds
Append the new message to /home/abc/mailbox
8
Sendmail Vulnerability: An ExaSendmail Vulnerability: An Examplemple
Append the new message to /home/abc/mailbox (actually to /etc/passwd)
Delete /home/abc/mailbox
Create symbolic link mailbox, pointing to /etc/passwd
Sendmail (root)
Attacker (abc)Time
No
Effect: The attacker may get unauthorized root access!
/home/abc/mailbox a symbolic link?
Check
Use
9
TOCTTOU Vulnerabilities in TOCTTOU Vulnerabilities in Red Hat Linux 9 [1]Red Hat Linux 9 [1]
Application TOCTTOU errors
Possible exploit
vi <open, chown> Changing the owner of /etc/passwd to an ordinary user
gedit <rename, chown>
Changing the owner of /etc/passwd to an ordinary user
rpm <open, open> Running arbitrary command
emacs <open,chmod> Making /etc/shadow readable by an ordinary user
Tested:
~130 utilities from /bin, /sbin and /usr/bin
[1] Jinpeng Wei, Calton Pu. FAST’05
10
vi 6.1 Vulnerabilityvi 6.1 Vulnerability The vulnerability happens whenThe vulnerability happens when
vi is run by rootvi is run by root vi is editing a file owned by a normal user (also the attackevi is editing a file owned by a normal user (also the attacke
r)r) vi saves the file being editedvi saves the file being edited
TOCTTOU pair: <TOCTTOU pair: <open, chownopen, chown>> openopen creates a new file for writing creates a new file for writing chownchown changes the owner of the new file to the normal use changes the owner of the new file to the normal use
r.r.
while ((fd = mch_open((char *)wfname, …)……chown((char*)wfname, st_old.st_uid, st_old.st_gid);
11
gedit 2.8.3 Vulnerabilitygedit 2.8.3 Vulnerability Similar to the vi vulnerabilitySimilar to the vi vulnerability
gedit is run by rootgedit is run by root gedit is editing a file owned by a normal user (also the attgedit is editing a file owned by a normal user (also the att
acker)acker) gedit saves the file being editedgedit saves the file being edited
TOCTTOU pair: <TOCTTOU pair: <rename, chownrename, chown>> renamerename creates a new file creates a new file chownchown changes the owner of the new file to the normal u changes the owner of the new file to the normal u
ser.ser.
/*create and write to temp_filename …*/if (rename (temp_filename, real_filename) != 0){ … }chmod (real_filename, st.st_mode);chown (real_filename, st.st_uid, st.st_gid);
12
An Attack ProgramAn Attack Program1 while (!finish){2 if (stat(filename, &stbuf) == 0){3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0))4 { 5 unlink(filename);6 symlink(“/etc/passwd”, filename);7 finish = 1;8 }9 }10 }
Observation: the file owner temporarily Observation: the file owner temporarily becomes root during the vulnerability window.becomes root during the vulnerability window.
Simple, brutal-force.Simple, brutal-force.
13
Event Analysis of Event Analysis of vivi Exploit on a Uniproc Exploit on a Uniprocessoressor
14
AgendaAgenda
Background about TOCTTOU and the vulneBackground about TOCTTOU and the vulnerabilities with rabilities with vivi and and geditgedit
A probabilistic model for TOCTTOU attacksA probabilistic model for TOCTTOU attacks Probability analysis of exploiting Probability analysis of exploiting vivi Probability and event analysis of exploiting Probability and event analysis of exploiting
geditgedit Parallelizing the attack program on a multiParallelizing the attack program on a multi
processorprocessor ConclusionConclusion
15
Some Definitions for the Some Definitions for the Probabilistic ModelProbabilistic Model
Window of VulnerabilityWindow of Vulnerability: the time interval : the time interval between check and use (e.g., <between check and use (e.g., <openopen, , chownchown>).>).
Attack pattern: {Attack pattern: {detectiondetection}}+ + [[attackattack]] detection can be run 1 or more timesdetection can be run 1 or more times attack can be run 0 or 1 timeattack can be run 0 or 1 time
Three process statesThree process states SuspendedSuspended: unable to run (relinquishing CPU): unable to run (relinquishing CPU) ScheduledScheduled: able to run (using CPU): able to run (using CPU) FinishedFinished: finished the attack actions (symbolic : finished the attack actions (symbolic
link replacement, etc)link replacement, etc)
16
A Probabilistic Model for A Probabilistic Model for Predicting TOCTTOU Attack Predicting TOCTTOU Attack
Success RateSuccess Rate
P (attack succeeds) on a multiprocessor is not less than P (attack succeeds) on a multiprocessor is not less than that on a uniprocessor, because of the second part of the that on a uniprocessor, because of the second part of the equation. equation. P (attack scheduled | victim not suspended) = 0 on a uniprocessorP (attack scheduled | victim not suspended) = 0 on a uniprocessor
Success gain due to the second part may become Success gain due to the second part may become significant when P (victim suspended) is very small.significant when P (victim suspended) is very small.
But wait, can the attack finished?But wait, can the attack finished?
P (attack succeeds) = P (victim suspended) * P (attack scheduled | victim suspended) * P (attack finished | victim suspended) + P (victim not suspended) * P (attack scheduled | victim not suspended) * P (attack finished | victim not suspended)
17
P (attack finished | victim not P (attack finished | victim not suspended)suspended)
D = detection time, L = t2 - t1 (Laxity) D = detection time, L = t2 - t1 (Laxity) t1 = the earliest start time for a successful detectiont1 = the earliest start time for a successful detection t2 = the latest start time for a successful detection t2 = the latest start time for a successful detection
leading to a successful attackleading to a successful attack
The answer =
18
AgendaAgenda
Background about TOCTTOU and the vulneBackground about TOCTTOU and the vulnerabilities with rabilities with vivi and and geditgedit
A probabilistic model for TOCTTOU attacksA probabilistic model for TOCTTOU attacks Probability analysis of exploiting Probability analysis of exploiting vivi Probability and event analysis of exploiting Probability and event analysis of exploiting
geditgedit Parallelizing the attack program on a multiParallelizing the attack program on a multi
processorprocessor ConclusionConclusion
19
Success Rate of Attacking Vi on a USuccess Rate of Attacking Vi on a Uniprocessorniprocessor
Between Between 1.5% and 1.5% and 18%18%
Approaches Approaches 0 when file 0 when file size size approaches 0approaches 0
while ((fd = mch_open((char *)wfname, …) /* writing to wfname using fd…*/chown((char*)wfname, st_old.st_uid, st_old.st_gid);
20
100% for files 100% for files with size with size >=20KB>=20KB
L >> DL >> D
Success Rate of Attacking Vi Success Rate of Attacking Vi on a SMPon a SMP
96% for files 96% for files with 1 bytewith 1 byte
L and D L and D become closebecome close
Attack may not Attack may not be scheduledbe scheduled
21
AgendaAgenda
Background about TOCTTOU and the vulneBackground about TOCTTOU and the vulnerabilities with rabilities with vivi and and geditgedit
A probabilistic model for TOCTTOU attacksA probabilistic model for TOCTTOU attacks Probability analysis of exploiting Probability analysis of exploiting vivi Probability and event analysis of exploiting Probability and event analysis of exploiting
geditgedit Parallelizing the attack program on a multiParallelizing the attack program on a multi
processorprocessor ConclusionConclusion
22
gedit Attack Success gedit Attack Success RatesRates
0 on a uniprocessor0 on a uniprocessor 83% on a SMP (2 x 1.7G CPUs, 512MB 83% on a SMP (2 x 1.7G CPUs, 512MB
memory)memory) The delay between The delay between renamerename and and chmodchmod is is
an important contributing factor to L. It is an important contributing factor to L. It is 43 microseconds on the SMP.43 microseconds on the SMP.Table: L and D values in microseconds (SMP)
if (rename (temp_filename, real_filename) != 0){ … }chmod (real_filename, st.st_mode);chown (real_filename, st.st_uid, st.st_gid);
23
gedit Attack on a gedit Attack on a MulticoreMulticore
2 x 3.2G dual-core CPUs with HT, 4GB 2 x 3.2G dual-core CPUs with HT, 4GB memorymemory
No success at all !No success at all ! Why ?Why ?
24
New Observation on the New Observation on the gedit Attackgedit Attack CPU is a necessary but not sufficient condition for a successful attackCPU is a necessary but not sufficient condition for a successful attack
Semaphore on the shared file is another necessary conditionSemaphore on the shared file is another necessary condition The race between gedit and the attacker for the semaphore The race between gedit and the attacker for the semaphore
decides the attack resultdecides the attack result
The delay The delay between between statstat and and unlinkunlink of of the attacker is the attacker is 17 us.17 us.
The delay The delay between between renamerename and and chmodchmod is now is now only 3 us. only 3 us.
There is a 6 us There is a 6 us trap (due to trap (due to page fault) page fault) within the 17 us within the 17 us of the attacker.of the attacker.
25
Rethinking the gedit Attack Rethinking the gedit Attack ProgramProgram
There is a trap when the true branch of There is a trap when the true branch of statement 3 is taken, because statement 3 is taken, because unlinkunlink is never is never invoked before by the attacker …invoked before by the attacker …
Linux kernel dynamically maps shard libraries Linux kernel dynamically maps shard libraries (e.g., (e.g., libclibc) into an application’s address space.) into an application’s address space.
1 while (!finish){2 if (stat(filename, &stbuf) == 0){3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0))4 { 5 unlink(filename);6 symlink(“/etc/passwd”, filename);7 finish = 1;8 }9 }10 }
26
The Solution…The Solution… Proactively invoke Proactively invoke unlinkunlink to remove the trap. to remove the trap.
1 while (!finish){ /* argv[1] holds filename */2 if (stat(argv[1], &stbuf) == 0){3 if ((stbuf.st_uid == 0) && (stbuf.st_gid == 0))4 {5 fname = argv[1];6 finish = 1;7 }8 else9 fname = dummy;1011 unlink(fname);12 symlink(“/etc/passwd”, fname);13 }//if stat(argv[1] ..14 }//while
27
New gedit Attack on a New gedit Attack on a MulticoreMulticore
Started to see Started to see successes.successes.
The trap The trap disappeareddisappeared
28
AgendaAgenda
Background about TOCTTOU and the vulneBackground about TOCTTOU and the vulnerabilities with rabilities with vivi and and geditgedit
A probabilistic model for TOCTTOU attacksA probabilistic model for TOCTTOU attacks Probability analysis of exploiting Probability analysis of exploiting vivi Probability and event analysis of exploiting Probability and event analysis of exploiting
geditgedit Parallelizing the attack program on a multiParallelizing the attack program on a multi
processorprocessor ConclusionConclusion
29
Pipelining Attack ProgramPipelining Attack Program
symlinksymlink needs not wait on the completion of needs not wait on the completion of unlinkunlink, , so we can make the attack program multi-threadedso we can make the attack program multi-threaded
The attack can finish much earlier when the shared The attack can finish much earlier when the shared file is large, giving advantage when the vulnerability file is large, giving advantage when the vulnerability window is very smallwindow is very small
30
ConclusionConclusion
A probabilistic model for TOCTTOU attaA probabilistic model for TOCTTOU attacks which captures the reduced system cks which captures the reduced system dependability by the deployment of muldependability by the deployment of multiprocessorstiprocessors
Probability measurement and event anaProbability measurement and event analysis of exploiting lysis of exploiting vi vi and and gedit, gedit, which cowhich corroborate the model and demonstrate hrroborate the model and demonstrate how the attacker may utilize multiprocesow the attacker may utilize multiprocessors to achieve higher success rate.sors to achieve higher success rate.