As the goal of this approach is to demonstrate the immediate practicality of exploiting race conditions in real-world interposition systems, I now consider hands-on experi- ments in doing so. All experiments and measurements were performed on a 3.2 GHz Intel Xeon.
2.5.1 Generic Software Wrapper Toolkit (GSWTK)
GSWTK is a kernel access control system that allows task-specific system call wrappers to inspect and modify arguments and return values. Wrappers are written using a
open() system call GSWTK postcondition /home/ko/.forward home/ko/Inbox Process 1 Process 2 path kernel user user Attacker forces last byte of path into swap
IDwrappers copies replaced path for
use in IDS
Attacker replaces real path with path intended for IDS while kernel is paging last byte Kernel copies real path
from memory, then faults on last byte and sleeps until page is in memory Attacker copies real
path of file to open into shared memory
Exploitable race window while process 1 waits for memory to be paged
Figure 2.3: Processes employ paging to force copyin() in open() to sleep so that the process can use a TOATTOU attack on an intrusion detection wrapper.
C language extension with integrated SQL database support. GSWTK is available as a third-party package on the Solaris, FreeBSD, BSD/OS, and Linux platforms; I employed GSWTK 1.6.3 on FreeBSD 4.11. A variety of wrappers are available, from access control policies to intrusion detection systems.
I was able to successfully substitute values used in both precondition access con- trol and postcondition auditing and intrusion detection on UP with paging, and on MP systems from a second processor. After experimentally validating the approach on a subset of wrappers, I inspected the remaining wrappers shipped with GSWTK. Of 23 wrappers available for UNIX or all platforms, 16 had one or more vulnerabilities (Table 2.1). Also of interest is Ko’s work on sequence-based intrusion detection, as it il- lustrates the potential impact of TOATTOU vulnerabilities [72]. Investigation revealed vulnerabilities in several intrusion detection wrappers. Figure 2.3 illustrates one such race, in which an intrusion detection wrapper intended to detect an exploited imapd
vulnerability is bypassed by racing between the kernel open, which sees the forbidden pathname/home/ko/.forward, and the post-condition wrapper that monitors it, which
sees to permissible pathname /home/ko/Inbox.
2.5.2 Systrace
Systrace is an access control system that allows user processes to control target processes by inspecting and modifying system call arguments and return values. The OpenBSD operating system includes Systrace; NetBSD has done so historically, and there are ports available to Mac OS X, FreeBSD, and Linux. For this work, I used Systrace on NetBSD 3.1, 4.0 (Jan. 2007), and OpenBSD 4.0. As Systrace is a programmable policy system, I used two policies: Sudo monitor mode [86] and Sysjail [61]. I bypassed protections in both, violating access control policy and audit trail integrity.
Wrapper Description Vulnerabilities
callcount Count system calls None: uses system call number.
conwatch Track IP connec-
tions by processes.
Postcondition TOATTOU race onconnect() and bind()masks
actual address/port.
dbfencrypt Encrypt files with
’$’ in their names; prevent rename so that policy cannot be changed.
Postcondition TOCTTOU race allows incorrect name in policy check; precondition TORTTOU races on I/O write unencrypted data and bypass rename checks.
dbexec Authorise program
execution based on a pathname database.
Precondition TOCTTOU race allows bypass by substituting the name during the wrapper check.
dbsynthetic Synthetic file system
sandbox substituting pathnames.
Precondition TORTTOU race bypasses path replacement; post- condition TORTTOU race leaks true paths
life Prints process life
cycle.
Precondition TOATTOU race replacesexec() paths.
noadmin Deny all privileged
operations.
None: relies on the kernel’s pro- cess credential.
aks.wr Audit file operations Pre/postcondition TOATTOU
races avoid audit.
seq-kernel.wr Sequence-based
intrusion detection
None: uses system call number.
imapd.wr Detect anomalous
access by imapd.
Postcondition TOATTOU path races prevent alerts.
Table 2.1: Examples of concurrency vulnerabilities in GSWTK and ID Wrappers.
Sudo
Sudo is a widely used privilege management tool allowing users to run authorised com- mands with the rights of another user [86]. The prerelease version of Sudo includes a “monitor mode”, implemented using Systrace, that audits commands executed by Sudo-derived processes. Sudo’s systrace monitor intercepts invocations of execve()
that occur after a successful user switch, auditing indirectly executions by the com- mand. The execve() system call accepts a program path, command line arguments,
bind() system call Sysjail/Systrace precondition 0.0.0.0 192.168.100.20 0.0.0.0 Sysjail copies in 0.0.0.0; validates and accepts it Process 1 Process 2 path kernel user user Attacker copies 0.0.0.0 into memory bind() copies in and uses 0.0.0.0 to bind the socket
Attacker restores original system call arguments of 0.0.0.0
before bind() copyin runs Process 2 waits 500k
cycles on CPU 2
Sysjail replaces IP with jail address 192.168.100.20 Exploitable race window between memory copies
Figure 2.4: Race to bypass protections from a second processor by replacing the IP address passed to bind() between check and use.
and environmental variables as indirect arguments, and thus is vulnerable to attack. Due to a user-space policy source, Systrace requires additional context switches to make access control decisions, leading to larger race windows. With Sudo on MP systems, the window for execve() arguments was over 430K cycles. I was able to successfully exploit this vulnerability, replacing command lines so that they were incorrectly logged, masking all further attacker activity in the audit trail.
Sysjail
Sysjail is a port of the FreeBSD jail containment facility using the Systrace framework for NetBSD and OpenBSD [61, 65]. Sysjail attaches to all processes in the jail, val- idating and in some cases rewriting system call arguments to maintain confinement. Sysjail is of particular interest as it is intended to contain processes running with root privilege, increasing exposure in the event of vulnerability.
Sysjail handles several indirect arguments, including IP addresses passed tobind(). It enforces two constraints: the address must be configured for the jail or it must be
INADDR ANY, in which case it will be replaced with the jail’s address. By racing with the Sysjail, I am able to replace the IP accepted by Sysjail with another IP address, bypassing network confinement (Figure 2.4).
2.5.3 CerbNG
CerbNG is a third-party security framework for FreeBSD 4.8 similar to GSWTK. It allows rule-based control of system calls, checking and modifying arguments and re- turn values, changing process properties, and logging events. I successfully exploited TOATTOU and TOCTTOU races in rules shipped with the system, replacing com- mand lines in log-exec.cb, which audits execve(), generating incorrect audit trails.
CerbNG unsuccessfully employs several virtual memory defences discussed in Section 2.6.1.