Person:
Pu,
Calton
Publication Search Results
A Secure Middleware Architecture for Web Services
File-based Race Condition Attacks on Multiprocessors Are Practical Threat
Person:
Pu,
Calton
1 - 2 of 2
Item
Current web service platforms (WSPs) often perform all web services related
processing, including security-sensitive information handling, in the same
protection domain. Consequently, the entire WSP may have access to security-sensitive
information such as credit card numbers, forcing us to trust a large and
complex piece of software. To address this problem, we propose ISO-WSP, a new
middleware architecture that decomposes current WSPs into two parts executing in
separate protection domains: (1) a small trusted T-WSP to handle security-sensitive
data, and (2) a large, legacy untrusted U-WSP that provides the normal WSP functionality,
but uses the T-WSP for security-sensitive data handling. By restricting security-sensitive data access to T-WSP, ISO-WSP reduces the software complexity of
trusted code, thereby improving the testability of ISO-WSP. To achieve end-to-end
security, the application code is also decomposed into two parts, isolating a small
trusted part from the remaining untrusted code. The trusted part encapsulates all accesses
to security-sensitive data through a Secure Functional Interface (SFI). To
ease the migration of legacy applications to ISO-WSP, we developed tools to translate
direct manipulations of security-sensitive data by the untrusted part into SFI invocations.
Using a prototype implementation based on the Apache Axis2 WSP, we
show that ISO-WSP reduces software complexity of trusted components by a factor
of five, while incurring a modest performance overhead of few milliseconds per request.
We also show that existing applications can be migrated to run on ISO-WSP
with minimal effort: a few tens of lines of new and modified code.
Item
TOCTTOU (Time-of-Check-to-Time-of-Use) attacks exploit race conditions in file systems. Although TOCTTOU attacks have been known for 30 years, they have been considered "low risk" due to their typically low probability of success, which depends on fortuitous interleaving between the attacker and victim processes. For example, recent discovery of TOCTTOU vulnerability in vi showed a success rate in low single digit percentages for files smaller than 1MB size. In this paper, we show that in a multiprocessor the uncertainties due to scheduling are reduced, and the success probability of vi attack increases to almost 100% for files of 1 byte size. Similarly, another recently discovered vulnerability in gedit, which had almost zero probability of success, changes to 83% success rate on a multiprocessor. The main reason for the increased success rate to almost certainty is the speed up of attacker process when running on a dedicated processor. These case studies show the sharply increased risks represented by file-based race condition attacks such as TOCTTOU on the next generation multiprocessors, e.g., those with multi-core processors.