Name Resolution Vulnerabilities

Name resolution converts names (e.g., /etc/passwd ) into resources, such as files. However, adversaries share portions of the namespace with programs (e.g., /tmp ), and attempt to exploit victim programs running at higher privileges. Two broad classes of exploits are improper binding attacks and improper resource attacks .

In an improper binding attack, the adversary tricks a victim program into accessing a high-integrity (or secrecy) resource when it meant to access a low-integrity resource. Examples are symbolic link and hard link attacks.
Example: Adversary links /tmp/low_file to /etc/passwd . Victim accesses /tmp/low_file but ends up with /etc/passwd

In an improper resource attack, the adversary tricks a victim program into accessing a low-integrity resource when it meant to access a high-integrity resource. Examples are IPC/file squatting and untrusted search paths.
Example: Adversary creates a malicious library in his home directory and waits for a victim program that has an untrusted library search path to load it (perhaps by an administrator launching the program while in the adversary's home directory).
These attacks can also exploited through time-of-check-to-time-of-use (TOCTTOU) race conditions . Writing proper checks in programs to protect against these attacks is challenging for a variety of reasons.

Finding Name Resolution Vulnerabilities

sting is a grey-box system-wide online tester for finding such name resolution vulnerabilities in programs. It does this by dynamically simulating adversarial actions on the system namespace, and evaluating a program's response. For example, if a program accesses /tmp/low_file , sting creates a symbolic link to /etc/passwd in its place (not exactly to /etc/passwd , but to another file having same properties). If the program later ends up writing to /etc/passwd , it is vulnerable.

For more detail, see the publications page.


Please contact Hayawardh Vijayakumar for access to source code or questions about sting.


We gratefully acknowledge support from NSF grant CNS-0905343 and AFOSR grant FA9550-12-1-0166