race condition - yajin · a vulnerable set-uid program • access -> check real user id •...

Race Condition Yajin Zhou (http://yajin.org ) Zhejiang University Credits: SEEDLab http://www.cis.syr.edu/~wedu/seed/

Upload: others

Post on 11-Oct-2020

0 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Race Condition

Yajin Zhou (http://yajin.org)

Zhejiang University

Credits: SEEDLab

http://www.cis.syr.edu/~wedu/seed/

http://yajin.org

http://www.cis.syr.edu/~wedu/seed/

A vulnerable Set-UID program

• Access -> check real user id

• Open-> check effective user id

• That’s the reason why we need access before open

How to attack

Page 5: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 6: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 7: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

• X->password is stored /etc/shadow

• No x -> password is in /etc/passwd

Page 8: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Attack_process.c

Page 9: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Target_process.sh

Page 10: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Target_process.sh

Page 11: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 12: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Experiment

Page 13: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Defense

• Atomic operation

• If we can have an option to tell open to use real UID (instead of

effective UID)

• Sticky protection

Page 14: Race Condition - Yajin · A vulnerable Set-UID program • Access -> check real user id • Open-> check effective user id • That’sthe reason why we need access before open

Defense

• Least privilege

Check Nbr Payee Check Amount Check Date Stmnt Date 34243 A

Operating System Services & Structures - Yajin · Operating System Services (User/Programmer-Visible) • User interface • most operating systems have a user interface (UI). •

AirBag: Boosting Smartphone Resistance to Malware Infection Chiachih Wu†, Yajin Zhou†, Kunal Patel†, Zhenkai Liang ∗, Xuxian Jiang† † Department of Computer

Experiences on MRO · C-Check, D-Check Modification Retrofit/Reconfiguration ... A320 C1-Check 2 years C2-Check 4 years C3-Check + 6Y 6 years C4-Check 8 years C5-Check 10 years C6-Check

Check In / Check Out

Check Nbr Payee Check Amount Check Date Stmnt Date 29634 ... · Check Nbr Payee Check Amount Check Date Stmnt Date 29634 ACT 38.00 09/10/2010 29635 MARICRUZ ... 29737 APPLE, INC

Format String Vulnerability - Yajin Zhou@Zhejiang …Initialize va_list • Va_start: compute the start address of va_list based on its second argument. • void va_start(va_list ap,

AirBag: Boosting Smartphone Resistance to Malware Infection · 2014-02-20 · AirBag: Boosting Smartphone Resistance to Malware Infection Chiachih Wu †, Yajin Zhou , Kunal Patel

CBRE RESEARCH | CEE & SEE WORKING FROM HOME SURVEY 2020 · 5/15/2020 · like this and that’sthe main reason why CBRE Research conducted a survey to better understand the perception

Answers - Springer978-1-349-09462... · 2017-08-25 · Check 7 Check 8 Check 9 Check 10 Check 11 Check 12 Check 13 Check 14 268 1 1i 7-!-13 t 19 8~ 1 0.6 7 0.27 2 fs 8 1t 14 24 20

GNU coreutils - Developer Conference 2011 Brnoovasik.fedorapeople.org/coreutils.pdf · md5sum md5sum--check sha1sum--check sha224sum--check sha256sum--check sha384sum--check sha512sum--check

VALVES - flowtec.at · Check Valves / Nozzle Check Valves .....44 Swing Check Valves

A Simple C Runtime by Example - Yajin

An Analysis of the AnserverBot Trojan · 2011-09-26 · An Analysis of the AnserverBot Trojan Yajin Zhou, Xuxian Jiang September 25, 2011 1 Introduction On September 19, 2011, NetQin

D D eheeé Sheet cm CHECK.I CHECK.2 CHECK.3 CHECK.4 … · CHECK.2 CHECK.3 CHECK.4 CHECK.5 CHECK.6 CHECK.7 CHECK .8 CHECK.9 cm CHECK.IO 'J —7 > MEMO cm cm cm . Author: admin Created

Logic Check Function Check Procedure

RESERVATIONS, CHECK-IN & CHECK-OUT

Yajin Zhou@Zhejiang University - 13 File System …yajin.org/os2019fall/ppt/13_File_System_Interface.pdfFile Concept • File is a contiguous logical address space for storing information

Check Reversals, Check Cancels & ACH Stops. 2 Check Reversals Agencies can do check reversals until November closes –For those agencies that have check

Check In, Check Out

CHECK 03-5273-3764 (ü) (FAX) 03-5273-4070 …CHECK 03-5273-3764 (ü) (FAX) 03-5273-4070 Check List CHECK CHECK 2 CHECK 3 STOP THE TROUBLE

Check Reversals, Check Cancels & ACH Stops

Buncombe County Check Register...DATE AMOUNT CHECK CHECK CHECK UNIT INVOICE INVOICE NUMBER DATE Check Dates: Buncombe County Check Register VENDOR_NAME 7/1/2010 - 6/30/2011 ACCOUNT

C2 Go! check it out check it out check it out check it out ...cloud.media.wenatcheeworld.com/uploads/epaper/2013/02/07/ww... · check it out check it out check it out check it out

Check Register October 1, 2019 - March 31, 2020 - …...Check No. Check Date Vendor Name Check Amount Check Status Description Check Register October 1, 2019 - March 31, 2020 - General

Auto-Reclosure; Synchro-Check & Voltage Check

Dissecting Android Malware : Characterization and Evolution Author : Yajin Zhou, Xuxuan Jiang TJ

Environment Variables and Attacks - Yajin · 2019-05-22 · Shell Variables and Environment Variables • Shell variables affect the environment variables of child process • When

Yajin Zhou () Zhejiang University

Auto-Reclosure, Synchro-Check & Voltage Check

INTRODUCTION CHECK IN/CHECK OUT

Check In/Check Out Overview. What is CICO? CICO= “Check In/Check Out” The CICO program is a school-wide, check-in, check-out prevention program for students

KIM TREE Developing an effective lesson plan Starting Point Check the Unit Specification –Check the date –Check the version –Check for changes –Check

Go! check it out check it out check it out check it out ...cloud.media.wenatcheeworld.com/uploads/epaper/2013/09/12/ww... · check it out check it out check it out check it out check

IT STARTS WITH A DREAM - Kitchen Art Design€¦ · there, looking in, itching for a chance to renovate and remodel the space that’sthe heart of your home; the only trick is understanding