Research Identifies Vulnerabilities in Operating Systems' File Systems
/ 4 min read
Quick take - A research paper from the University of California, Riverside, reveals significant vulnerabilities in modern operating systems’ file systems, particularly through the syncfs system call, which can be exploited to compromise application isolation and leak sensitive information, raising security and privacy concerns in multi-user environments.
Fast Facts
- Researchers from UC Riverside identified vulnerabilities in modern operating systems’ file systems that threaten application isolation, particularly through the syncfs system call.
- The study reveals that shared file system implementations are susceptible to timing leakage, allowing covert channel attacks that can infer I/O behavior of other applications.
- Experiments demonstrated that attacks could achieve bandwidths of 5 Kbps on Linux and 7.6 Kbps on Windows, with high accuracy in identifying application behaviors.
- The research highlights cross-container attacks that breach isolation in multi-user environments, raising significant security and privacy concerns.
- To mitigate these vulnerabilities, the authors propose redesigning syncfs, restricting access to high-resolution timers, and improving I/O buffer isolation.
Significant Vulnerabilities in Modern Operating Systems’ File Systems
A recent research paper from the University of California, Riverside, authored by Cheng Gu, Yicheng Zhang, and Nael Abu-Ghazaleh, has identified significant vulnerabilities in modern operating systems’ file systems. These vulnerabilities pose a threat to the logical isolation among applications.
Emerging Side Channels
The study highlights how operating systems use abstractions like processes and containers to protect against malicious or faulty code. However, the research identifies emerging side channels that can compromise this isolation. The file system’s role in managing input/output (I/O) activities between applications and physical storage devices is central to the research. The shared implementation of file systems is susceptible to timing leakage, especially when common I/O system calls are used.
The paper points out that modern operating systems perform flush operations to clear all I/O buffers, including those from other isolation domains. This creates potential vulnerabilities. A significant focus of the study is the syncfs system call, which is designed to flush all dirty pages associated with a file’s superblock.
Covert Channel Attacks
The researchers demonstrate a covert channel attack using syncfs. This attack allows an attacker to measure delays in the system call to infer the I/O behavior of victim programs. Experiments reveal that such attacks can achieve bandwidths of 5 Kbps with a 0.15% error rate on Linux systems. On Windows systems, the bandwidths reach 7.6 Kbps with a 1.9% error rate.
The paper also constructs three additional side-channel attacks targeting Linux and Android devices. These attacks boast over 90% in F1 score, precision, and recall. The attacks exploit the write patterns of temporary buffering files for website fingerprinting, video fingerprinting, and application fingerprinting.
Security and Privacy Concerns
The research discusses cross-container attacks, providing a technique for container detection. It illustrates a covert channel attack that breaches isolation between containers sharing the same file system. This raises significant security and privacy concerns in multi-user operating systems and application software.
To support their findings, the authors outline the background of Linux file systems. They detail the structure and function of various I/O buffers, including inode cache, page cache, and journal cache. The study highlights how different I/O operations, particularly write operations, can significantly increase syncfs latency, creating opportunities for information leakage.
The threat model presented in the paper assumes that a malicious application can invoke syncfs without special privileges, allowing it to infer sensitive information about other applications. The authors identify two primary leakage vectors through syncfs: profiling I/O system call footprints and inferring file write sizes based on latency patterns.
To mitigate the identified vulnerabilities, the paper proposes several strategies, including redesigning the syncfs system call, restricting access to high-resolution timers, and improving isolation within I/O buffers. The authors conclude by stressing the necessity for enhanced defenses against the vulnerabilities related to syncfs, underscoring the broader implications for system security in light of their findings.
Original Source: Read the Full Article Here
