5. File Identification (Cont’d)
● Link
○ Change current working directory to anywhere.
○ Powerful on good or vial.
● The exploits (177-related oo 2008-2009)
○ Can run as root but stuck in /root/
○ How to change /etc/shadow?
6. Canonicalizing
● Canonical form is easy to validation.
○ /usr/../home/rcs => /home/rcs
○ OS-specific mechanisms for canonicalization.
○ realpath() on POSIX
● Realpath
○ Description: expands all symbolic links and
resolves chars in the null-terminated string to
produce canonicalized absolute pathname.
○ But: Using non-constant var. PATH_MAX which
get by pathconf().
7. Race Conditions
● Basic example on p#451
○ using chdir & rmdir
● TOCTOU (Time of check, time of use)
○ The rase window between check and use.
○ Replace the original by link.
● Create without replace
○ Using O_CREATE and O_EXCL
○ using fopen(file_path, ‘wx’)
8. Race Conditions (cont’d)
● Using file lock (on Windows)
○ LockFile() / UnlockFile()
○ shared locks: One write and many read
○ exclusive locks: Only one process
● Using mutex / semaphores
● Temporary File (table 8.4)
9. Strategies
● Check link is mostly unnecessary
○ If privileges setting is correctly.
○ Create hard/symbolic link will not alter the
permission.
○ A setuid program should drop privileges with real
UID.
● Strategies
○
○
○
○
Closing the Race Window
Eliminating the Race Object
Controlling Access to the Race Object
Race Detection Tools
10. Closing the Race Window
● General concept for protect resource
○ Mutual Exclusion
○ Thread-Safe Function
○ Use of Atomic Operations
● Reopening Files
○ May be necessary in long-term application.
● Checking for Symbolic Links
○ If possible, using O_NOFOLLOW flag when open.
11. Eliminating the Race Object
● Know what is shared
○ Overlook on system-supplied sharing.
○ Minimal access permissions.
○ Security patches installed regularly.
● Usually for file’s directory, not file itself.
● Using file descriptors, not file names
○ using fxxxx() not xxxx()
■ fchown vs chown fstat vs stat ....
12. … (cont’d)
● ptrace() on UNIX
○ One process (the "tracer") may observe and
control the execution of another process (the
"tracee").
○ Access all memory and register values.
● Thread (share, share, share, …)
○
○
○
○
System-supplied and process-supplied object.
Global variables / dynamic memory.
Environment variables.
...
13. Controlling Access
● At least one of the control flows must
alter the state of the race object.
● Principle of least privilege
○ Avoid run with elevated privileges
○ Drop privileges when using shared object
○ Create file should be restricted exclusively to
the owner.
14. … (cont’d)
● Security Directories
● Chroot jail
● Container Virtualization
○ An advanced version for jail
○ lxc / OpenVZ on Linux
○ Virtuozzo on WIndow
● Exposure
○ Avoid exposing your structure by API.
● Using Race Detection Tools
15. Summary
● File protected can similar with shared
resource protected
○ Atomic / Spinlock / Mutex /Semaphore.
○ Using virtual/limited environment provides better
protection.
● For file resource only
○ Using fd to check/control file resource is better
than file name.
○ If possible, using exclusive flag when open file.