On Thu, Aug 09, 2007 at 11:30:47AM -0400, Niels Provos wrote: > There is a straight forward solution for this problem. The initial > prototype of Systrace had a look-aside buffer in the kernel for > copyin. I told Robert about this, not sure if he mentioned that in > his paper or not. There obviously would be some associated > performance impacts.
This is not solution to the problem Robert describes in his paper. What you suggest can only help with one kind of race, but this is not a complete fix. There are much more race possibilities, because how syscall wrappers work and I consider it a design flaw, which isn't really fixable. I was thinking a lot about this few years ago when I was working on CerbNG, but at the end I decided to drop the project, because some problems, as I mentioned, can't be solved and fixing others need gross hacks, and having gross hacks especially in security software is not the way to go. Look-aside buffer can help only when another thread/process modify the buffer passed to the kernel after syscall wrapper check and before kernel use. I was playing in CerbNG with marking page as read-only to protect against this. Other races that can't be avoided using this technique are for example: 1. Policy elevates privileges when process is trying to open some file. We can create symbolic link that points at this file, call open on it and after syscall wrapper check we change symbolic link to point at /etc/master.passwd. 2. Process is allowed to open a file in its home directory. Syscall wrapper verifies if the process really owns that file, allows to open it, but we remove it and place symbolic link to another file before kernel gets to it. 3. Process opens some special file and when it tries to do something with its descriptor (eg. fchmod(2)/fchown(2)) we elevate its privileges. Another thread in this process after syscall wrapper check can close this file, open another file and use dup2(2) to reuse old file's descriptor - syscall wrapper allowed fchown(2) on descriptor X, but the kernel will have different file under X descriptor. There are probably more. In my opinion there are just too many potential problems with syscall wrappers that I fully agree with Robert - they should not be used. The solution, as Robert writes in his paper is to use frameworks like Mandatory Access Control in FreeBSD where policy access to objects, that are already locked and protected against races, eg. the kernel first opens a file, locks it and pass a pointer to a locked vnode to the policy. Then we can be sure no change can be made to this file that will confuse our policy. -- Pawel Jakub Dawidek http://www.wheel.pl [EMAIL PROTECTED] http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! [demime 1.01d removed an attachment of type application/pgp-signature]