In this assignment you will analyze the bugs in your security layer from [wiki:EducationalAssignments/ProtectFilePartOne ProtectFilePartOne] and fix them. You may want to use test cases from [wiki:EducationalAssignments/ProtectFilePartTwo ProtectFilePartTwo] to help identify these bugs.
In this assignment you are fixing your reference monitor. You have been sent a bunch of test programs that try to compromise your reference monitor. Your job will be to determine where your reference monitor failed, and fix it to ensure an attacker cannot circumvent the security layer.
-
The reference monitor needs to track the state of the information on disk, but cannot re-read it for every access (due to efficiency concerns). A common mistake is when the attacker can cause the reference monitor’s state to diverge from the underlying system’s state, especially in error conditions. The reference monitor and disk's states should be in sync.
-
Time-of-check-to-time-of-use (TOCTTOU) bugs and other types of race conditions are a fairly common oversight for students. Some students write test cases that attempt to trigger a race condition to exploit these problems. This can result in essentially any sort of attack, even infinite loops in the reference monitor in some cases.
-
Some reference monitors inappropriately share state for different files. An attacker may be able to exploit this and cause security and accuracy issues.
-
Many reference monitors had accuracy or security bugs as a result of not properly following the instructions.
def writeat(self, data, offset):
if offset == 0 and self.filename.startswith("private_"):
if data == "INV":
INVBUFFER.append(self.filename)
# remove the file from the PERBUFFER if it exists
try:
PERBUFFER.remove(self.filename)
except ValueError:
pass
elif data == "PER":
PERBUFFER.append(self.filename)
# remove the file from the INVBUFFER if it exists
try:
INVBUFFER.remove(self.filename)
except ValueError:
pass
return self.file.writeat(data, offset)
Let's analyze some of the bugs in this implementation.
According to the specifications in [wiki:EducationalAssignments/ProtectFilePartOne ProtectFilePartOne], a private_ file should not be visible with the listfiles() call if its contents start with "INV". The above code checks whether "INV" is being written at offset 0. What happens when there is a write at offset 1 or 2 which causes the first three characters in the file to become "INV"? This condition is not covered in the above code and will cause a file that may need to be invisible to be listed when listfiles() is called.
Consider another situation where data
contains "INVISIBLE" which is to be written at offset 0 to a private_ file. In this case, at if data == "INV":
, the condition fails as a result of which the file will not be added to INVBUFFER and would be listed when listfiles() is called even though the first three characters in the file are "INV". The if statement should've compared only the first three characters of data
with "INV" instead of the entire string.
- Turn in the reference monitor that you have fixed. The name of the reference monitor should be in the form of reference_monitor_netid.r2py, e.g. reference_monitor_ab321.r2py. All letters must be lowercase.
- In addition to your reference monitor, fill in the form given on the in Assignment 2 Part 3 instruction page. You can submit the form only once so be sure to submit it properly in the first time.