stat(f)
open(f)
rename(f, *)
...
other other
stat(f)
open(f)
rename(f, *)
...
(a) An FSA describing Property 3
stat(logfile, &st);
if (st.st
uid != getuid())
return -1;
open(logfile, O
RDWR);
(b) A program segment violating Property 3. Note that the
program is susceptible to a race condition, since the binding
of logfile to a file may change between the stat() and
open() calls.
Figure 4. An FSA illustrating Property 3 (“A
program should not pass the same file name to two
system calls on any path”) and a program vio-
lating it.
3.1.5. Create Temporary Files Securely
Many programs create temporary files in a shared direc-
tory such as /tmp. The C library provides several functions
for creating unique temporary files. Unfortunately, most
of them are insecure because they make the program vul-
nerable to race condition attacks. For example, mktemp
returns a unique file name, but if an adversary creates a
file with the same name before the program does, the pro-
gram will either open the adversary’s file, if the open call
does not specify the O
EXCL flag, or fail otherwise. Other
insecure functions for making unique temporary files are
tmpnam, tempnam, and tmpfile. The only secure
function is mkstemp, which accepts a string parameter
as the template for the temporary file, opens a unique file,
and then returns the file descriptor. Additionally,
• To avoid race conditions, the program should not
reuse the string parameter to mkstemp for any other
system calls or library functions. This is because
mkstemp writes the name of the unique temporary
file to the string, but the binding from name to inode
might change after mkstemp returns and before the
next function executes.
• The program should call umask(077)
8
before call-
ing mkstemp, because old versions of mkstemp
8
Here we are using the C convention that a leading 0 denotes an octal
number.
// This is a setuid-root program
fd = open(“/etc/passwd”);
str = read
from user();
fprintf(stderr, “The user entered:\n%s\n”, str);
(a) victim.c: a program vulnerable to the stderr attack
int main()
{
close(2);
execl(“victim”, “victim”, NULL);
}
(b) A program run by the adversary to attack the program in Fig-
ure 5(a)
Figure 5. A program vulnerable to the attack
on standard file descriptors and an exploit-
ing program.
create temporary files with the mode 0666, which is
a security risk because all users can read the files.
We summarize the security property as the following:
Property 5 A program should (1) never call
mktemp
,
tmpnam
,
tempnam
,or
tmpfile
; (2) never reuse
the parameter
x
in
mkstemp(x)
; and (3) call
umask(077)
before
mkstemp
.
3.2. Software Programs
We selected six large, network-related, security-
sensitive packages and two small setuid-root programs
from Redhat Linux 9. See Figure 6 for a list of software
packages we analyzed, their descriptions, and the number
of lines of code analyzed (counted using “wc -l *.c”).
3.3. Performance
We ran all the experiments on an 1.5GHz Pentium 4
single-CPU PC with 1GB memory that runs Redhat Linux
9. Figure 7 shows the time that MOPS spent on model
checking each package and the number of real error traces
and total error traces that MOPS found. Each table shows
the results for one property, where each row shows the
results for one package, including the numberof programs
checked, the running time, and the number of real error
traces vs. total error traces. The following explains how
we measured these results.
• The number of programs checked. Each package
builds multiple executable programs, but some prop-
(4 páginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentários a estes Manuais