1 / 16

Consider the following Java code

Race Conditions. Consider the following Java code. int localData = theShared.getData (); localData ++; theShared.setData(localData );. public class Shared { private int data ; public Shared () { data = 0; } public void setData (int r ) { data = r ;

randy
Télécharger la présentation

Consider the following Java code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Race Conditions Consider the following Java code intlocalData= theShared.getData(); localData++; theShared.setData(localData); • public class Shared { • private intdata; • public Shared() { • data = 0; • } • public void setData(intr) { • data = r; • } • public intgetData() { • return data; • } • } After executing this code what value is stored in Shared.data?

  2. What is a thread / process / task? Threaded variation of the last program. public class Driver { private Shared theShared; private MyThreadthreadA, threadB; public Driver() { theShared = new Shared(); threadA = new MyThread(theShared); threadB = new MyThread(theShared); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedExceptione) { e.printStackTrace(); } System.out.println(theShared.getData()); } } public static void main(String[] args) { new Driver(); } } public class MyThreadextends Thread { private Shared theShared; public MyThread(Shareds) { theShared = s; } public void run() { intlocalData = theShared.getData(); localData++; theShared.setData(localData); } }

  3. Code shared by threadA and threadB intlocalData= theShared.getData(); //1 localData++; //2 theShared.setData(localData); //3 ExecutionScenario 1: ExecutionScenario 2: threadA -- execute //1 threadA -- execute //2 threadA -- execute //3 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadA -- execute //1 threadA -- execute //2 threadA -- execute //3 ExecutionScenario 3: threadA -- execute //1 threadB -- execute //1 threadB -- execute //2 threadB -- execute //3 threadA -- execute //2 threadA -- execute //3 Whenever the potential order of execution can alter the outcome, this is called a _________ or ___________.

  4. Three essential properties for a race condition _________ Property Two or more flows of control must execute concurrently/in parallel. _____________ Property Some resource must be shared by the concurrent flows. _____________ Property At least one of the concurrent flows must alter the state of the shared resource.

  5. Solution to a race condition eliminate the concurrent access The “trick” is to use an atomic operation, such as a lock.

  6. import java.util.concurrent.locks.ReentrantLock; public class Driver { private Shared theShared; private MyThreadthreadA, threadB; private ReentrantLocktheLock; public Driver() { theShared = new Shared(); theLock = new ReetrantLock(); threadA = new MyThread(theShared, theLock); threadB = new MyThread(theShared, theLock); threadA.start(); threadB.start(); try { threadA.join(); threadB.join(); } catch (InterruptedExceptione) { e.printStackTrace(); } System.out.println(theShared.getData()); } } public static void main(String[] args) { new Driver(); } } import java.util.concurrent.locks.ReentrantLock; public class MyThreadextends Thread { private Shared theShared; private ReentrantLocktheLock; public MyThread(Shared s, ReentrantLock l) { theShared = s; theLock = l; } public void run() { theLock.lock(); intlocalData = theShared.getData(); localData++; theShared.setData(localData); theLock.unlock(); } }

  7. Locks lead to another problem… _________ A thread is deadlocked when it is impossible for it to resume execution even though the expected execution for the thread is incomplete. What if one thread terminates inside a critical section? lockSharedResource(); // the critical section unlockSharedResource(); Potential Deadlock on two resources (A and B) Process 1 Process 2 lockSharedResourceA(); lockSharedResourceB(); // the critical section unlockSharedResourceB(); unlockSharedResourceA(); lockSharedResourceB(); lockSharedResourceA(); // the critical section unlockSharedResourceA(); unlockSharedResourceB();

  8. How can an attacker exploit race conditions? Deadlock leads to _____. Example: 2004 Apache HTTP Server http://www.kb.cert.org/vuls/id/132110 Concurrency, and therefore, race conditions are sensitive to …  processor speeds  process/thread scheduling algorithms  memory constraints  asynchronous events  state of unrelated processes

  9. What about loosely coupled (untrusted) processes? File targetFile = new File("/tmp/test"); if (targetFile.exists() && targetFile.canRead()) { try { FileInputStream = new FileInputStream(targetFile); inFile.read( someBuffer ); ... inFile.close(); } catch (IOException e) { e.printStackTrace(); } } _________ (Time of Check, Time of Use) the window from TOC through TOU can lead to a race vulnerability

  10. TOCTOU Mitigation ________the file from other access. File targetFile= new File("/tmp/test"); if (targetFile.exists()) { try { FileChannelchannel = null; FileLocklock = null; try { channel = new RandomAccessFile(targetFile,"rw").getChannel(); lock = channel.tryLock(); if (lock != null) { ByteBufferbytes = ByteBuffer.allocate(100); channel.read(bytes); ... lock.release(); } else // file is already locked } catch (OverlappingFileLockExceptione) { // file is already locked } finally { channel.close(); } } catch (IOExceptione) { e.printStackTrace(); }

  11. A non-TOCTOU race condition: walking trees Example (GNU utilities) file tree ... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files ...

  12. A non-TOCTOU race condition: walking trees Example (GNU utilities) file tree ... chdir( “/tmp/a” ); chdir( “b” ); chdir( “c” ); // race window chdir( “..” ); unlink( “*” ); //delete all files ... the exploit mv /tmp/a/b/c /tmp/c

  13. Mitigation avoid the use of relative path names avoid using shared access containers “..” and “.” in file names and URLs must be disallowed. use and verify ___________________

  14. symlinkvul This is a classic problem in Unix systems involving the use of symbolic links. The problem is that an attacker's symbolic link can be substituted for a file. (Symbolic links can even reference directories.) A classic example - passwd() 1) open some_dir/.rhosts to authenticate user; close .rhosts 2) create and open some_dir/ptmp 3) reopen some_dir/.rhosts and copy into opened ptmp 4) close files and rename some_dir/ptmp as some_dir/.rhosts

  15. Suppose the user's directory is called victim_dir. Further suppose that the attacker uses s similar directory called attack_dir. A classic example - passwd() Attacker causes some_dir to be a link to attack_dir 1) open some_dir/.rhosts to authenticate user; close .rhosts Attacker causes some_dir to revert to victim_dir 2) create and open some_dir/ptmp Attacker causes some_dir to be a link to attack_dir 3) reopen some_dir/.rhosts and copy into opened ptmp Attacker causes some_dir to revert to victim_dir 4) close files and rename some_dir/ptmp as some_dir/.rhosts

  16. Mitigation – All Race Conditions Closing the race window use mutual exclusion via locks, semaphores, monitors, etc. use “thread safe” threads check file properties securely Eliminating the race (shared) resource identify all shared resources use canonical full path names Controlling access to the race (shared) resource be permission, authorization and privilege aware use trustworthy containers static and dynamic detection tools can find some race conditions

More Related