Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Race conditions are a common problem in operating system protection mechanisms.

ID: 3838286 • Letter: R

Question

Race conditions are a common problem in operating system protection mechanisms. An easy example involves a Time-of-check to Time of Use (TOCTOU) race based on Unix symbolic links, which contain a path that is resolved at access time. For example, the UNIX print utility “lpr” runs setuid root and has the ability to read any file on the system and send it to the printer – an operation that requires root privileges. To prevent a user from printing a file she doesn’t own, it checks the ownership of a file before printing it:

if (access(argv[1], R OK) != 0)

exit(1);

fd = open(argv[1], O RDONLY);

send_to_printer(fd)

a. Explain how a user can use two programs in combination with symbolic links to get lpr to print a file to which the user does not have permission to open.

b. To actually mount a practical attack, timing is critical. The attacker must make sure the second program is able to run exactly between the two system calls in the above code. How can the attacker guarantee this?

Explanation / Answer

a. The attacker can make full use of lpr with the help of symbolic link. The attacker can pass it to a file to print. The attacker initially points link to file that own by him. After the access system call is run then attacker switches symbolic link to point at a file that the attacker normally does not have privileges to access.

b. In the first scenario attacker wants that symbolic link must change after the access call starts and before the file open begins. If the access call causes the kernel to make I/O requests to the disk, it will cause the process to sleep until the disk requests complete. It means that the attacker must make sure that the file is not in the file cache in memory. During this time, the attacker can switch the directory links. The process can be made to sleep for longer by providing an initial file with a very deep directory structure that will require multiple disk accesses to traverse.

Related Questions

RUQUAGUGA-3 5-GAAUGAAAUGUUAACC-3 5-GGGCAUUCC-3 cue 18. Which of the following ar
Question #205031
RUTGERS Acquisitions and Expenditures . What are acquisitions and expenditures?
Question #2573337
RVQ1 1. Name 5 types of primary signaling receptors, and describe how they work
Question #178259
RVQ2 9. What is the role of Apc in Colon cancer? 10. 11. 2. How can p21, p53, cd
Question #178261
RVQ3 17. What are \"pocket proteins?\" how are they regulated? 18. What are the
Question #178262
RVQ4 25. In what ways does Myc oncoprotein deregulate cell proliferation and dif
Question #178263
RW Corp. needs to replace an old lathe with a new, more efficient model. The old
Question #2612596
RWE Enterprises, Inc. (RWE) is a small manufacturing firm located in the hills j
Question #2648409

Navigate

Previous
Race car teams will spend exorbitant money to gain even the slightest edge on th
Next
Race conditions are possible in many computer systems. Consider a banking system

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.