160 likes | 260 Views
Race Conditions. Consider the following Java code. int localData = theShared.getData (); localData ++; theShared.setData(localData );. public class Shared { private int data ; public Shared () { data = 0; } public void setData (int r ) { data = r ;
E N D
Race Conditions Consider the following Java code intlocalData= theShared.getData(); localData++; theShared.setData(localData); • public class Shared { • private intdata; • public Shared() { • data = 0; • } • public void setData(intr) { • data = r; • } • public intgetData() { • return data; • } • } After executing this code what value is stored in Shared.data?
What is a thread / process / task? Threaded variation of the last program. public class Driver { private Shared theShared; private MyThreadthreadA, threadB; public Driver() { theShared = new Shared(); threadA = new MyThread(theShared); threadB = new MyThread(theShared); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedExceptione) { e.printStackTrace(); } System.out.println(theShared.getData()); } } public static void main(String[] args) { new Driver(); } } public class MyThreadextends Thread { private Shared theShared; public MyThread(Shareds) { theShared = s; } public void run() { intlocalData = theShared.getData(); localData++; theShared.setData(localData); } }
Code shared by threadA and threadB intlocalData= theShared.getData(); //1 localData++; //2 theShared.setData(localData); //3 ExecutionScenario 1: ExecutionScenario 2: threadA -- execute //1 threadA -- execute //2 threadA -- execute //3 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadA -- execute //1 threadA -- execute //2 threadA -- execute //3 ExecutionScenario 3: threadA -- execute //1 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadA -- execute //2 threadA -- execute //3 Whenever the potential order of execution can alter the outcome, this is called a _________ or ___________.
Three essential properties for a race condition _________ Property Two or more flows of control must execute concurrently/in parallel. _____________ Property Some resource must be shared by the concurrent flows. _____________ Property At least one of the concurrent flows must alter the state of the shared resource.
Solution to a race condition eliminate the concurrent access The “trick” is to use an atomic operation, such as a lock.
import java.util.concurrent.locks.ReentrantLock; public class Driver { private Shared theShared; private MyThreadthreadA, threadB; private ReentrantLocktheLock; public Driver() { theShared = new Shared(); theLock = new ReetrantLock(); threadA = new MyThread(theShared, theLock); threadB = new MyThread(theShared, theLock); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedExceptione) { e.printStackTrace(); } System.out.println(theShared.getData()); } } public static void main(String[] args) { new Driver(); } } import java.util.concurrent.locks.ReentrantLock; public class MyThreadextends Thread { private Shared theShared; private ReentrantLocktheLock; public MyThread(Shared s, ReentrantLock l) { theShared = s; theLock = l; } public void run() { theLock.lock(); intlocalData = theShared.getData(); localData++; theShared.setData(localData); theLock.unlock(); } }
Locks lead to another problem… _________ A thread is deadlocked when it is impossible for it to resume execution even though the expected execution for the thread is incomplete. What if one thread terminates inside a critical section? lockSharedResource(); // the critical section unlockSharedResource(); Potential Deadlock on two resources (A and B) Process 1 Process 2 lockSharedResourceA(); lockSharedResourceB(); // the critical section unlockSharedResourceB(); unlockSharedResourceA(); lockSharedResourceB(); lockSharedResourceA(); // the critical section unlockSharedResourceA(); unlockSharedResourceB();
How can an attacker exploit race conditions? Deadlock leads to _____. Example: 2004 Apache HTTP Server http://www.kb.cert.org/vuls/id/132110 Concurrency, and therefore, race conditions are sensitive to … processor speeds process/thread scheduling algorithms memory constraints asynchronous events state of unrelated processes
What about loosely coupled (untrusted) processes? File targetFile = new File("/tmp/test"); if (targetFile.exists() && targetFile.canRead()) { try { FileInputStream = new FileInputStream(targetFile); inFile.read( someBuffer ); ... inFile.close(); } catch (IOException e) { e.printStackTrace(); } } _________ (Time of Check, Time of Use) the window from TOC through TOU can lead to a race vulnerability
TOCTOU Mitigation ________the file from other access. File targetFile= new File("/tmp/test"); if (targetFile.exists()) { try { FileChannelchannel = null; FileLocklock = null; try { channel = new RandomAccessFile(targetFile,"rw").getChannel(); lock = channel.tryLock(); if (lock != null) { ByteBufferbytes = ByteBuffer.allocate(100); channel.read(bytes); ... lock.release(); } else // file is already locked } catch (OverlappingFileLockExceptione) { // file is already locked } finally { channel.close(); } } catch (IOExceptione) { e.printStackTrace(); }
A non-TOCTOU race condition: walking trees Example (GNU utilities) file tree ... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files ...
A non-TOCTOU race condition: walking trees Example (GNU utilities) file tree ... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files ... the exploit mv /tmp/a/b/c /tmp/c
Mitigation avoid the use of relative path names avoid using shared access containers “..” and “.” in file names and URLs must be disallowed. use and verify ___________________
symlinkvul This is a classic problem in Unix systems involving the use of symbolic links. The problem is that an attacker's symbolic link can be substituted for a file. (Symbolic links can even reference directories.) A classic example - passwd() 1) open some_dir/.rhosts to authenticate user; close .rhosts 2) create and open some_dir/ptmp 3) reopen some_dir/.rhosts and copy into opened ptmp 4) close files and rename some_dir/ptmp as some_dir/.rhosts
Suppose the user's directory is called victim_dir. Further suppose that the attacker uses s similar directory called attack_dir. A classic example - passwd() Attacker causes some_dir to be a link to attack_dir 1) open some_dir/.rhosts to authenticate user; close .rhosts Attacker causes some_dir to revert to victim_dir 2) create and open some_dir/ptmp Attacker causes some_dir to be a link to attack_dir 3) reopen some_dir/.rhosts and copy into opened ptmp Attacker causes some_dir to revert to victim_dir 4) close files and rename some_dir/ptmp as some_dir/.rhosts
Mitigation – All Race Conditions Closing the race window use mutual exclusion via locks, semaphores, monitors, etc. use “thread safe” threads check file properties securely Eliminating the race (shared) resource identify all shared resources use canonical full path names Controlling access to the race (shared) resource be permission, authorization and privilege aware use trustworthy containers static and dynamic detection tools can find some race conditions