Embed Size (px)
Citation preview
RaceGuardRaceGuard: Kernel Protection From Tempo: Kernel Protection From Temporary File Race Vulnerabilitiesrary File Race Vulnerabilities
Crispin Cowan, Steve Beattie, Chris Wright, anCrispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartmand Greg Kroah-Hartman
In USENIX Security Symposium, Washington, DC, AugusIn USENIX Security Symposium, Washington, DC, August 2001t 2001
WireX Communications, Inc. http://wirex.com/WireX Communications, Inc. http://wirex.com/
Temporary File Race Temporary File Race VulnerabilitiesVulnerabilities
Basic formBasic form::A privileged program first probes the A privileged program first probes the state of the file system, and then takes state of the file system, and then takes some action. The attacker races into some action. The attacker races into the gap between the probe and the the gap between the probe and the action, changes the state of the file action, changes the state of the file system such that the victim program’s system such that the victim program’s action will have an unintended effect.action will have an unintended effect.
Temporary File CreationTemporary File Creation Victim programVictim program AttackerAttacker
stat(“/tmp/foo”, &info);stat(“/tmp/foo”, &info);
link(“/tmp/foo”, “/etc/passwd”); link(“/tmp/foo”, “/etc/passwd”);
open(“/tmp/foo”, O_CREAT);open(“/tmp/foo”, O_CREAT);
Result: the file, Result: the file, /etc/passwd/etc/passwd is overwritten. is overwritten.A variation (dangling symlink) : link to non-existence A variation (dangling symlink) : link to non-existence file whose existence has security implication. file whose existence has security implication.
(e.g. /etc/nologin)(e.g. /etc/nologin)
tim
e
RaceGuard DesignRaceGuard DesignEach process keeps a cache of non-existent file Each process keeps a cache of non-existent file names from the result of stat() calls.names from the result of stat() calls.
If the creat() call following the stat() call hits a filIf the creat() call following the stat() call hits a file that already exists, and the name matches a ne that already exists, and the name matches a name in the cache, then it is a race attack so aborame in the cache, then it is a race attack so abort the operation.t the operation.
If no conflict with the cache, remove the name frIf no conflict with the cache, remove the name from the cache to prevent the “false positive” evenom the cache to prevent the “false positive” events (in case the same name is used for creation mts (in case the same name is used for creation multiple times)ultiple times)
RaceGuard ImplementationRaceGuard ImplementationMediates three basic types of syscallsMediates three basic types of syscalls
1) File probing system calls1) File probing system calls e.g. stat(), lstat(), access(),…e.g. stat(), lstat(), access(),…
2) File creating system calls2) File creating system calls e.g. open(), creat(), mkdir(), link(),…e.g. open(), creat(), mkdir(), link(),…
3) Process creation/removal3) Process creation/removal e.g. fork(), exit()e.g. fork(), exit()
Per-process & Inter-process RaceGuard cache managemPer-process & Inter-process RaceGuard cache management.ent.
RaceGuard Implementation RaceGuard Implementation Cache Management PolicyCache Management Policy
7 pre-allocated entries per process7 pre-allocated entries per process- - small but sufficient in support of the cache small but sufficient in support of the cache management policy.management policy.
Aggressive cache clearing policyAggressive cache clearing policy- - heavy use of cache invalidation upon successful heavy use of cache invalidation upon successful
creation of temporary filescreation of temporary files
Conservative cache population policyConservative cache population policy- - Interfering legitimate software by false positives Interfering legitimate software by false positives is is much more critical than failing to detectmuch more critical than failing to detect
Cache Management PolicyCache Management Policycache eviction policycache eviction policy
Cache is a circular bufferCache is a circular buffer
/foo
Most recent entry(start scan from this entry)
If no empty slot found, eject this entry
Scan for first empty slot
RaceGuard Implementation RaceGuard Implementation Cache Management PolicyCache Management Policy
Races between processesRaces between processes- child processes inherit cache from parent - child processes inherit cache from parent process upon fork(). process upon fork().
- child processes clearing their cache entries - child processes clearing their cache entries notify their parent to also clear.notify their parent to also clear.
(aggressive cache clearing policy)(aggressive cache clearing policy)
- child processes do not populate their parents’ - child processes do not populate their parents’ cache as this could cause false positive. cache as this could cause false positive.
(conservative cache population policy)(conservative cache population policy)
RaceGuard ImplementationRaceGuard ImplementationSome file creating syscalls are not subject to racSome file creating syscalls are not subject to race conditions. E.g. mkdir(), link(), etc.e conditions. E.g. mkdir(), link(), etc. - they fail when the entry already exists. - they fail when the entry already exists. However, However, any successful file creation by those syscalls is any successful file creation by those syscalls is
checked against the cache and cleared if achecked against the cache and cleared if a mmatche occurs. atche occurs.
(aggressive cache clearing policy)(aggressive cache clearing policy)
Some file probing syscalls are excluded.Some file probing syscalls are excluded.E.g. it’s possible to check for a file’s existence with chmoE.g. it’s possible to check for a file’s existence with chmod() call, but it’s an uncommon practice.d() call, but it’s an uncommon practice.(conservative approach)(conservative approach)
RaceGuard ImplementationRaceGuard ImplementationAA pathological casepathological case
Cache flooding when executing Cache flooding when executing external programs. E.g. /bin/javaexternal programs. E.g. /bin/java
If $PATH has many entries, many If $PATH has many entries, many calls to stat() will occur, filling the calls to stat() will occur, filling the cache with useless entries.cache with useless entries.
Security TestingSecurity Testing
To do deterministic testing, mktemp() librarTo do deterministic testing, mktemp() library call has been “doctored”:y call has been “doctored”:
1) Pauses the caller for 30 seconds.1) Pauses the caller for 30 seconds.
2) Produces file name that is easy to 2) Produces file name that is easy to guess guess (even print it out)(even print it out)
Compatibility TestingCompatibility Testing
GoalGoal: Make sure RaceGuard does not : Make sure RaceGuard does not interfere legitimate software that interfere legitimate software that are are not being actively subjected to not being actively subjected to actu actual race attacks.al race attacks.
Compatibility TestingCompatibility Testing
Examples:Examples: 1) 1) Mozilla:Mozilla:
- makes heavy use of temporary files - makes heavy use of temporary files for caching web content. Re-use of for caching web content. Re-use of s s
ame names caused false positive. ame names caused false positive. F Fixed by cache clearing upon successful file ixed by cache clearing upon successful file creation creations.s.2) 2) A shell script Red Hat usesA shell script Red Hat uses::
- parent process does the probe, and a - parent process does the probe, and a c child process creates the temporary files.hild process creates the temporary files.
Fixed by making child processes clearing their Fixed by making child processes clearing their c cache entries also clear their parents’ cache ache entries also clear their parents’ cache entries. entries.
Performance TestingPerformance Testing
RaceGuard Microbenchmark Results (overhead imposed on system calls)(overhead imposed on system calls)
System Call Without RaceGuard With RaceGuard % Overhead
Stat non-existent file 4.3 microseconds 8.8 microseconds 104%
Open non-existent file 1.5 milliseconds 1.44 milliseconds -4%
Fork 161 microseconds 183 microseconds
13%
Performance TestingPerformance Testing
Khernelstone Macrobenchmark, in SecondsKhernelstone Macrobenchmark, in Seconds(imposed overhead on programs that make intensive use of many te(imposed overhead on programs that make intensive use of many temporary files)mporary files)
Real Time User Time System Time
Without RaceGuard 10,700 8838 901
With RaceGuard 10,742 8858 904
%Overhead 0.4% 0.2% 0.3%
Time to build SRPM of the Linux kernel which incorporates Time to build SRPM of the Linux kernel which incorporates thousand forks and temporary files.thousand forks and temporary files.
ConclusionsConclusions
RaceGuard protects vulnerable programs aRaceGuard protects vulnerable programs against temporary file race attacks with minigainst temporary file race attacks with minimal compatibility and performance overheamal compatibility and performance overheadd
RaceGuard is available as a GPL’d patch to RaceGuard is available as a GPL’d patch to the Linux Kernel.the Linux Kernel.
How is this stuff related to my How is this stuff related to my work?work?
Primary goal of Forensix is the post-mortem analysis of syPrimary goal of Forensix is the post-mortem analysis of system activities.stem activities.
We monitor syscalls and log various information about thWe monitor syscalls and log various information about them such as time of invocation, pid of the caller, argumenem such as time of invocation, pid of the caller, arguments, etc.ts, etc.
Given a database of system logs, we can ask the databaGiven a database of system logs, we can ask the database “What happened?” questions.se “What happened?” questions.
Questions = Queries to the DBQuestions = Queries to the DB
Question: “Were there any Question: “Were there any temporary file race attacks?”temporary file race attacks?”
Since “probe – creation” is a closed Since “probe – creation” is a closed sequence, we have a closed time sequence, we have a closed time frame. Within the time frame, we frame. Within the time frame, we can find out about any occurrence of can find out about any occurrence of file creation attempt by a different file creation attempt by a different process.process.
