a. Race conditions are a common problem in operating system protection mechanism

Question

a. Race conditions are a common problem in operating system protection mechanisms. An easy example involves a Time-of-check to Time of Use (TOCTOU) race based on Unix symbolic links, which contain a path that is resolved at access time. For example, the UNIX print utility “lpr” runs setuid root and has the ability to read any file on the system and send it to the printer – an operation that requires root privileges. To prevent a user from printing a file she doesn’t own, it checks the ownership of a file before printing it: if (access(argv[1], R OK) != 0) exit(1); fd = open(argv[1], O RDONLY); send_to_printer(fd) b. Explain how a user can use two programs in combination with symbolic links to get lpr to print a file to which the user does not have permission to open.

b. To actually mount a practical attack, timing is critical. The attacker must make sure the second program is able to run exactly between the two system calls in the above code. How can the attacker guarantee this?

Explanation / Answer

Time-of-check, time-of-use race conditions occur when between the time in which a given resource is checked, and the time that resource is used, a change occurs in the resource to invalidate the results of the check.

Consequences

Exposure period

Platform

Required resources

Severity

Medium

Likelihood of exploit

Low to Medium

Time-of-check, time-of-use race conditions occur when a resource is checked for a particular value, that value is changed, then the resource is used, based on the assumption that the value is still the same as it was at check time.

This is a broad category of race condition encompassing binding flaws, locking race conditions, and others.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.