On Thu, Aug 09, 2007 at 11:30:47AM -0400, Niels Provos wrote:
quoted text
> There is a straight forward solution for this problem.  The initial
> prototype of Systrace had a look-aside buffer in the kernel for
> copyin.  I told Robert about this, not sure if he mentioned that in
> his paper or not.   There obviously would be some associated
> performance impacts.

This is not solution to the problem Robert describes in his paper. What
you suggest can only help with one kind of race, but this is not a
complete fix. There are much more race possibilities, because how
syscall wrappers work and I consider it a design flaw, which isn't
really fixable. I was thinking a lot about this few years ago when I was
working on CerbNG, but at the end I decided to drop the project, because
some problems, as I mentioned, can't be solved and fixing others need
gross hacks, and having gross hacks especially in security software is
not the way to go.

Look-aside buffer can help only when another thread/process modify the
buffer passed to the kernel after syscall wrapper check and before
kernel use. I was playing in CerbNG with marking page as read-only to
protect against this.

Other races that can't be avoided using this technique are for example:

1. Policy elevates privileges when process is trying to open
   some file. We can create symbolic link that points at this file, call
   open on it and after syscall wrapper check we change symbolic link to
   point at /etc/master.passwd.

2. Process is allowed to open a file in its home directory. Syscall
   wrapper verifies if the process really owns that file, allows to open
   it, but we remove it and place symbolic link to another file before
   kernel gets to it.

3. Process opens some special file and when it tries to do something
   with its descriptor (eg. fchmod(2)/fchown(2)) we elevate its
   privileges. Another thread in this process after syscall wrapper
   check can close this file, open another file and use dup2(2) to reuse
   old file's descriptor - syscall wrapper allowed fchown(2) on
   descriptor X, but the kernel will have different file under X
   descriptor.

There are probably more.

In my opinion there are just too many potential problems with syscall
wrappers that I fully agree with Robert - they should not be used.

The solution, as Robert writes in his paper is to use frameworks like
Mandatory Access Control in FreeBSD where policy access to objects, that
are already locked and protected against races, eg. the kernel first
opens a file, locks it and pass a pointer to a locked vnode to the
policy. Then we can be sure no change can be made to this file that will
confuse our policy.

--
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

[demime 1.01d removed an attachment of type application/pgp-signature]