Skip to main content
SpringerLink
Log in

The Right Files at the Right Time

  • Chapter
  • First Online:
Automated Security Management

Abstract

Programs fetch resources, such as files, from the operating system through the process of name resolution. However, name resolution can be subverted by adversaries to redirect victim processes to resources chosen by the adversaries, leading to a variety of attacks. These attacks are possible because traditional access control treats processes as black boxes, permitting all process permissions to all process system calls, enabling adversaries to trick victims into using resources that are not appropriate for particular system calls. Researchers have examined methods for enforcing distinct policies on individual system calls, but these methods are difficult to use because programmers must specify which permissions apply when manually. In this work, we examine the generation of system call-specific program policies to augment access control to defend against such name resolution attacks. Our insight in this paper is that system calls can be classified by the properties of the resources accessed to produce policies automatically. Given specific knowledge about name resolution attacks, such a classification may be refined further to prevent many name resolution attacks with little chance of false positives. In this paper, we produce a policy using runtime analysis for an Ubuntu 12.04 distribution, finding that 98.5 % of accesses can be restricted to prevent typical name resolution attacks and more than 65 % of accesses can be restricted to a single file without creating false positives. We also examine three programs in detail to evaluate the efficacy of using the provided package test suites to generate policies, finding that administrators can produce effective policies automatically.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Name resolution attacks may be launched with any operation privilege to files, so we ignore the file operations requested in this work.

  2. 2.

    This is actually the same inode, as inode is the unique identifier for file objects.

References

  1. Berman, A., et al.: TRON: process-specific file protection for the UNIX operating system. In: USENIX TC ’95, Framingham (1995)

    Google Scholar 

  2. Goldberg, et al.: A secure environment for untrusted helper applications. In: USENIX Security ’96, San Jose (1996)

    Google Scholar 

  3. Acharya, et al.: MAPbox: using parameterized behavior classes to confine untrusted applications. In: USENIX SSYM, Denver (2000)

    Google Scholar 

  4. Garfinkel, et al.: Ostia: a delegating architecture for secure system call interposition. In: NDSS ’04, San Diego (2004)

    Google Scholar 

  5. Bishop, M., Digler, M.: Checking for race conditions in file accesses. Comput. Syst. 9(2), Spring 131–152 (1996)

    Google Scholar 

  6. Cowan, C., et al.: Raceguard: kernel protection from temporary file race vulnerabilities. In: USENIX Security Symposium, Washington, DC (2001)

    Google Scholar 

  7. Tsyrklevich, et al.: Dynamic detection and prevention of race conditions in file accesses. In: USENIX Security, Washington, DC (2003)

    Google Scholar 

  8. Dean, et al.: Fixing races for fun and profit. In: USENIX SSYM, San Diego (2004)

    Google Scholar 

  9. Tsafrir, D., et al.: Portably solving file tocttou races with hardness amplification. In: USENIX FAST, San Jose (2008)

    Google Scholar 

  10. Chari, S., et al.: Where do you want to go today? Escalating privileges by pathname manipulation. In: NDSS ’10, San Diego (2010)

    Google Scholar 

  11. Cai, X., et al.: Exploiting unix file-system races via algorithmic complexity attacks. In: IEEE SSP ’09, Cardiff (2009)

    Google Scholar 

  12. Vijayakumar, H., Schiffman, J., Jaeger, T.: Sting: finding name resolution vulnerabilities in programs. In: Proceedings of the 21st USENIX Security Symposium (USENIX Security 2012), Bellevue (2012)

    Google Scholar 

  13. Levy, H.M.: Capability-Based Computer Systems. Digital Press, Bedford (1984). Available at http://www.cs.washington.edu/homes/levy/capabook/

  14. Provos, N.: Improving host security with system call policies. In: USENIX Security ’03, Washington, DC. USENIX Association, Berkeley (2003)

    Google Scholar 

  15. AppArmor Linux application security, http://www.novell.com/linux/security/apparmor/ (2008)

  16. audit2allow, http://fedoraproject.org/wiki/SELinux/audit2allow (2013)

  17. McPhee, W.S.: Operating system integrity in OS/VS2. IBM Syst. J. 13, 230–252 (1974) [Online]. Available: http://dx.doi.org/10.1147/sj.133.0230

  18. Needham, R.: Chapter: names. In: Mullender, S. (ed) Distributed Systems. Addison-Wesley, Boston (1989)

    Google Scholar 

  19. Domain Names – Implementation and Specification, http://www.ietf.org/rfc/rfc1035.txt (1987)

  20. Vigna, et al.: Testing network-based intrusion detection signatures using mutant exploits. In: ACM CCS, Washington, DC (2004)

    Google Scholar 

  21. What is “Deep Inspection”? http://www.ranum.com/security/computer_security/editorials/deepinspect/ (2013)

  22. PHP LFI to arbitrary code execution. http://www.exploit-db.com/download_pdf/17010/ (2011)

  23. Balzarotti, et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: IEEE SSP, Oakland (2008)

    Google Scholar 

  24. Wei, et al.: Tocttou vulnerabilities in unix-style file systems: an anatomical study. In: USENIX FAST ’05, San Francisco (2005)

    Google Scholar 

  25. Suk Lhee, K., Chapin, S.J.: Detection of file-based race conditions. Int. J. Inf. Secur. 4(1–2), 105–119 (2005)

    Article  Google Scholar 

  26. Borisov, et al.: Fixing races for fun and profit: how to abuse atime. In: USENIX Security ’06, Baltimore (2005)

    Google Scholar 

  27. Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: a practical approach for safe execution of untrusted applications. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, ser. SOSP ’03, Bolton Landing, pp. 15–28. ACM, New York (2003) [Online]. Available: http://doi.acm.org/10.1145/945445.945448

  28. Li, et al.: Usable mandatory integrity protection for operating systems. In: IEEE SSP, Madison (2007)

    Google Scholar 

  29. Sun, W., Sekar, R., Poothia, G., Karandikar, T.: Practical proactive integrity protection: a basis for malware defense. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, Oakland (2008)

    Google Scholar 

  30. Shankar, U., Jaeger, T., Sailer, R.: Toward automated information-flow integrity verification for security-critical applications. In: Proceedings of the 2006 ISOC Networked and Distributed Systems Security Symposium (NDSS’06), San Diego (2006)

    Google Scholar 

  31. Krohn, M.N., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles, Stevenson, pp. 321–334 (2007)

    Google Scholar 

  32. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: Proceedings of the Seventh Symposium on Operating System Design and Implementation, Seattle, pp. 263–278 (2006)

    Google Scholar 

  33. Clark, D.D., Wilson, D.: A comparison of military and commercial security policies. In: 1987 IEEE Symposium on Security and Privacy, Oakland (1987)

    Google Scholar 

  34. Harris, W., Jha, S., Reps, T.: Difc programs by automatic instrumentation. In: Proceedings of Computer and Communications Security (CCS), Chicago (2010)

    Google Scholar 

  35. Denning, D.: A lattice model of secure information flow. Commun. ACM 19(5), 236–242 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  36. Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proceedings of the 16th ACM Symposium on Operating System Principles, Saint Malo (1997)

    Google Scholar 

  37. Hicks, S., Boniface, Jaeger, T., McDaniel, P.: From trusted to secure: building and executing applications that enforce system security. In: Proceedings of the USENIX Annual Technical Conference, Santa Clara. USENIX Association, Berkeley (2007)

    Google Scholar 

  38. Liu, J., George, M.D., Vikram, K., Qi, X., Waye, L., Myers, A.C.: Fabric: a platform for secure distributed computation and storage. In: In Proceedings ACM Symposium on Operating Systems Principles, Big Sky, pp. 321–334 (2009)

    Google Scholar 

  39. Rueda, S., King, D., Jaeger, T.: Verifying compliance of trusted programs. In: Proceedings of the 17th USENIX Security Symposium, San Jose (2008)

    Google Scholar 

  40. Bell, D.E., LaPadula, L.J.: Secure computer system: Unified exposition and Multics interpretation, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA, Technical Report ESD-TR-75-306, March 1976, also, MITRE Technical Report MTR-2997

    Google Scholar 

  41. McIlroy, D., Reeds, J.: Multilevel windows on a single-level terminal. In: Proceedings of the (First) USENIX Security Workshop, Portland (1988)

    Google Scholar 

  42. Toll, D.C., Karger, P.A., Palmer, E.R., McIntosh, S.K., Weber, S.: The caernarvon secure embedded operating system. SIGOPS Oper. Syst. Rev. 42(1), 32–39 (2008) [Online]. Available: http://doi.acm.org/10.1145/1341312.1341320

  43. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  44. Vijayakumar, H., Jakka, G., Rueda, S., Schiffman, J., Jaeger, T.: Integrity walls: finding attack surfaces from mandatory access control policies. In: Proceedings of the Seventh ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), Hangzhou (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SIIS Lab, The Pennsylvania State University, University Park, PA, USA

    Hayawardh Vijayakumar & Trent Jaeger

Authors
  1. Hayawardh Vijayakumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Trent Jaeger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hayawardh Vijayakumar .

Editor information

Editors and Affiliations

  1. Department of Software and Information Systems, University of North Carolina Charlotte, Charlotte, North Carolina, USA

    Ehab Al-Shaer

  2. Computing and Information Sciences, Kansas State University, Manhattan, Kansas, USA

    Xinming Ou

  3. Department of Computer Science, Naval Postgraduate School, Monterey, California, USA

    Geoffrey Xie

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Vijayakumar, H., Jaeger, T. (2013). The Right Files at the Right Time. In: Al-Shaer, E., Ou, X., Xie, G. (eds) Automated Security Management. Springer, Cham. https://doi.org/10.1007/978-3-319-01433-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-01433-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-01432-6

  • Online ISBN: 978-3-319-01433-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation