Checking for Race Conditions in File Accesses

Author(s): Matt Bishop, Michael Dilger
Venue: Computing Systems
Date: 1996


Quality
3

Language: C
Defect Type: Race conditions for file accesses
Uses Annotations: No
Requires Annotations: No
Sound: No
Flow-sensitive: No
Context-sensitive: No

This paper describes a method for finding race conditions in file accesses for UNIX-based operating systems. The authors give examples of how these race conditions can be exploited to obtain escalated privileges using time intervals between file operations that should be atomic. They present a grammar for representing vulnerabilities abstractly as a sequence of actions with associated environmental information and give examples of various vulnerabilities represented in the grammar. They also discuss an implementation of their technique in a tool they wrote to analyze C programs. Their implementation uses string-based pattern matching to search for sequences of system calls that use the same file as an argument, and flag all such sequences for manual review. They only look for a subset of system calls involved in file manipulation. The authors describe this study as a feasibility study to determine if their method is worth pursuing further.

They tested their technique on a single body of code: the sendmail email server. Their tool found 24 potential bugs, 19 of which were classified as false positives after investigation. The remaining 5 bugs were reported to send mail’s maintainers, where it was discovered that one of the bugs had already been reported and fixed. This static analysis technique looks promising, but it doesn’t seem ready just yet for production code. The authors admit that the string-based pattern matching is easily fooled. Also, there are no mechanisms for eliminating likely false positives from the list of system call sequences reported to the user. These deficiencies are forgivable in light of the study’s fasibility nature, and the authors propose a more thorough file identification scheme and a full C lexical analyzer as future work.

0