1. Field of the Invention
The present invention generally relates to security computer system, and more specifically, relates to a system and method for preserving data integrity in a computer system.
2. Description of the Related Art
TOCTTOU (Time-Of-Check-To-Time-Of-Use) is a well known security problem. An illustrative example is a Unix command, sendmail, which used to check for a specific attribute of a mailbox file (e.g., it is not a symbolic link) before appending new messages. However, the checking and appending operations do not form an atomic unit. Consequently, if an attacker (the mailbox owner) is able to replace his mailbox file with a symbolic link to /etc/passwd between the checking and appending steps by sendmail, then he may trick sendmail into appending emails to /etc/passwd. As a result, an attack message consisting of a syntactically correct /etc/passwd entry with root access would give the attacker root access. TOCTTOU is a serious threat: In 11 of the reported cases on TOCTTOU vulnerabilities between 2000 and 2004, the attacker was able to gain unauthorized root access. These cases cover a wide range of applications from system management tools (e.g., /bin/sh, shar, tripwire) to user level applications (e.g., gpm, Netscape™ browser). The TOCTTOU vulnerabilities affect many operating systems, including: Conectiva™, Debian™, FreeBSD™, HP-UX™, Immunix™, MandrakeSoft™, RedHat™, Sun Solaris™, and SuSE™. TOCTTOU vulnerabilities are widespread and cause serious consequences.
The sendmail example shows the structural complexity of a TOCTTOU attack, which requires (unintended) shared access to a file by the attacker and the victim (the sendmail), plus the two distinct steps (check and use) in the victim. This complexity plus the non-deterministic nature of TOCTTOU attacks make the detection difficult. For example, TOCTTOU attacks usually result in escalation of privileges, but no immediately recognizable damage. Furthermore, successful techniques for typical race condition detection such as static analysis are not directly applicable, since the attacker program is not available beforehand. Finally, TOCTTOU attacks are inherently non-deterministic and not easily reproducible, making post mortem analysis also difficult. These difficulties are illustrated by the TOCTTOU vulnerabilities recently found in vi and emacs commands, which appear to have been in place since the time those venerable programs were created.
Therefore, it is desirous to have an apparatus and method that prevent race condition vulnerabilities, and it is to such apparatus and method the present invention is primarily directed.