Experience with transactions in QuickSilver
SOSP '91 Proceedings of the thirteenth ACM symposium on Operating systems principles
Proceedings of the 11th USENIX Security Symposium
Secure Applications Need Flexible Operating Systems
HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
Noninterference and Intrusion Detection
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
The Confused Deputy: (or why capabilities might have been invented)
ACM SIGOPS Operating Systems Review
Dynamic detection and prevention of race conditions in file accesses
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Fixing races for fun and profit: how to use access(2)
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Secretly monopolizing the CPU without superuser privileges
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Portably solving file TOCTTOU races with hardness amplification
FAST'08 Proceedings of the 6th USENIX Conference on File and Storage Technologies
Portably solving file races with hardness amplification
ACM Transactions on Storage (TOS)
On Race Vulnerabilities in Web Applications
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Dynamic optimization for efficient strong atomicity
Proceedings of the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Protecting applications against TOCTTOU races by user-space caching of file metadata
VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
Proceedings of the 2012 workshop on New security paradigms
Process firewalls: protecting processes during resource access
Proceedings of the 8th ACM European Conference on Computer Systems
Hi-index | 0.00 |
Dean and Hu proposed a probabilistic countermeasure to the classic access(2)/open(2) TOCTTOU race condition in privileged Unix programs [4]. In this paper, we describe an attack that succeeds with very high probability against their countermeasure. We then consider a stronger randomized variant of their defense and show that it, too, is broken. We conclude that access(2) must never be used in privileged Unix programs. The tools we develop can be used to attack other filesystem races, underscoring the importance of avoiding such races in secure software.