CSC 2045: File I/O and Race Conditions

Questions and Answers

What does the guideline SL.io.1 suggest regarding input methods in C++?

• Avoid character-level input unless necessary. (correct)
• Use character-level input for all cases.
• Prioritize low-level input for efficiency.
• Always use C-Strings for file handling.

What is a key reason for preferring iostreams for I/O as highlighted in SL.io.3?

• Iostreams are complex and less flexible.
• Iostreams are considered safe, flexible, and extensible. (correct)
• Iostreams are a deprecated feature of C++.
• Iostreams are slower compared to other methods.

What is the primary reason to avoid using std::endl?

• It flushes the output buffer unnecessarily. (correct)
• It introduces more memory usage.
• It causes a buffer overflow.
• It makes the program slower.

What happens to a file when a file object goes out of scope?

The destructor automatically closes it. (B)

What can occur if you alternate input and output on a file stream without an intervening positioning call?

This will cause undefined behavior. (D)

What should be done to avoid exhausting system resources with file operations?

Close all files explicitly when they are no longer needed. (A)

What do race conditions in programming refer to?

Order of execution affecting program behavior. (D)

What is the recommended practice when using file streams in C++?

Close files even if the destructor will handle it. (D)

Which scenario could lead to a race condition?

Updating a variable in two different threads without synchronization. (B)

Why is it best practice to close files explicitly in large applications?

To avoid holding onto system resources longer than necessary. (C)

What should be prohibited to avoid potential filename manipulation by untrusted users?

Including the '../' sequence in filenames (A)

Why should the '/' character be excluded from legal filename characters?

It acts as a delimiter for directory structures (D)

What is a key requirement for a program that takes directions from a file controlled by untrusted users?

The file and its directories should be protected from unauthorized modification. (B)

What must a program do with inputs from a file if the user is untrusted?

Perform checks to ensure values are among a set of legal values. (C)

What should be checked to prevent security issues when reading input from a file with untrusted users?

Values must match a predefined set of legal values and buffer safety. (A)

What happens if an output file stream connects to an existing file?

The file is wiped and replaced (D)

What is the consequence of not performing error checking while working with file streams?

It may lead to unnoticed failures during file operations (C)

What is the primary purpose of using the ifstream object when working with files?

To create a file that defaults to input operations. (A)

What is the purpose of the ofstream object in file handling?

To create a file that defaults to output operations. (A)

What is a key advantage of using the fstream object over ifstream and ofstream alone?

It combines input and output capabilities in a single file object. (C)

What is a fundamental issue with not considering race conditions in programming?

It can cause a process to access incorrect data. (B)

What is a primary characteristic of race condition errors?

They arise from concurrent access to shared resources. (C)

What does the Time of Check Time of Use (TOCTOU) error exploit?

The delay between checking a condition and acting on it. (A)

What is one impact of TOCTOU vulnerabilities?

Denial-of-service attacks or incorrect data modification. (A)

In which scenario is a TOCTOU vulnerability most likely to occur?

During file-system access where a file's state might change. (C)

Flashcards

What is a string?

A sequence of characters, often used to represent text or data.

What is a race condition?

A programming error that occurs when a program accesses data that is no longer valid or has been modified by another part of the program.

What is a TOCTOU error?

A program or system vulnerability that arises from the timing of actions and the potential for conflicting data access.

What is exception handling?

A programming technique where a program explicitly checks for potential errors and handles them gracefully, preventing program crashes and unexpected behavior.

What are C++ Core Guidelines?

A set of guidelines designed to promote code quality, performance, and security in C++ development.

Why avoid std::endl for std::cin/std::cout?

std::endl is a manipulator that adds a new line and flushes the output buffer. Flush means to write the buffered data to the destination. However, using std::endl for standard input/output (std::cin/std::cout) is unnecessary and slows down the performance because flushing is already handled automatically. std::endl is also overkill for writing to files, where explicit flushing is rarely needed.

Why is std::endl unnecessary for std::cin/std::cout?

When you use std::endl for standard output, it adds a new line and flushes the output buffer. Flushing means that the buffered data gets written to the destination (usually screen or file). For standard input/output (std::cin/std::cout), flushing is unnecessary because it is already handled automatically. Therefore, using std::endl in this context only adds extra overhead, slowing down your program.

Why do we close files implicitly in C++ with iostreams?

When you open a file using iostreams, you don't need to explicitly close it like in C's stdio library. C++'s destructor handles closing the file when the object goes out of scope. However, it's generally a good practice to close files explicitly to release the resource and prevent resource leaks.

Why is alternating input and output on a file stream without positioning call undefined behavior?

In C++, when you open a file for input or output using iostreams, you should avoid alternating reading and writing operations without explicit positioning or flushing. Doing so can result in undefined behaviour. For instance, don't read from a file and then write to the same file without moving the file pointer using a function such as seekg or seekp.

Why should you close files explicitly?

To avoid resource exhaustion and ensure that data stored in the file buffer is flushed to the file, close files explicitly when you are finished with them. This is especially important for programs that might run for a long time, as remaining open files can prevent other processes from using those files after the program has finished.

Why should you avoid alternating input and output on a file stream?

When dealing with a file opened for both input and output, it's important to avoid interleaving input and output operations without using positioning functions (seekg or seekp) or flushing the stream. Doing so leads to undefined behaviour, as the file pointer's position gets affected, and the program's actions become unpredictable.

Are std::cin and std::cout synchronised with printf?

Using std::cout and std::cin for standard input and output in C++ is generally synchronised with printf. This means their actions automatically work together. For example, if you use printf after standard output, the output buffer for std::cout will be flushed before printf executes.

How does synchronization between std::cin/std::cout and printf work?

Standard input and output (std::cin/std::cout) are typically synchronized with C's printf library. This implies that when you use std::cout, it is automatically in sync with printf's behaviour.

File Name Vulnerabilities

File names, especially those with special characters or sequences like ".." or "*", can be used to exploit vulnerabilities in programs, allowing attackers to access or modify sensitive information.

How File Name Vulnerabilities Impact Programs

A program that uses special characters or sequences in file names to exploit vulnerabilities can cause significant problems, including data loss, system compromise, or denial-of-service attacks.

Mitigating File Name Vulnerabilities

Restricting the allowed characters in file names can help mitigate vulnerabilities by preventing the use of special characters or sequences that could be exploited.

Globbing: A Potentially Dangerous Feature

It is generally unsafe to enable "globbing" (wildcard matching) for file names, as it can greatly increase the computational time and resources needed to process file names, potentially leading to a denial-of-service attack.

Using Separate Processes for File Operations

Using a separate process with resource limits for handling file name operations can help mitigate the risks associated with "globbing" by preventing resource exhaustion or denial-of-service attacks.

Untrusted File Content

A program should treat file contents as potentially untrusted, even if they are from a trusted user. This is especially true if an untrusted user can modify the file's contents or its directory.

Validating Untrusted Inputs

If a program receives instructions from an untrusted user through a file, it must carefully validate those instructions. This includes checking if values are within the expected range and preventing buffer overflows.

File Content Trust

A program should not assume that file contents are trustworthy, even if they come from a source believed to be reliable. File contents can be corrupted or altered by external factors or even by malicious users.

Directly Controlled File Content

A program should not trust file contents that are directly controlled by untrusted users. This means that the program should never blindly execute instructions or process data from a file sourced from an untrusted user.

File Security Considerations

When a program receives directions from a file, the security of the file's contents must be carefully considered. If the file is controlled by an untrusted user, the program must be extra cautious in handling its contents, validating inputs, and preventing potential security vulnerabilities.

ifstream (Input File Stream)

A file stream object used for reading data from a file. It connects your program to an existing file, allowing you to read information from it.

ofstream (Output File Stream)

A file stream object used for writing data to a file. It connects your program to a file, allowing you to write information to it.

fstream Library

C++ allows file operations to be performed using the 'fstream' library. This library provides several functions for handling file input and output, making it easy to work with data stored in files.

Member Function

A function associated with a specific type of object. For example, the 'open()' function is a member function of the 'ifstream' object, allowing you to open a file for reading

Open Function

The 'open()' function is used to connect a file stream object (like 'ifstream' or 'ofstream') to a specific file. It allows your program to start reading from or writing to the chosen file.

File iostream

A class that allows you to open and interact with files in C++.

How to Open & Close files in C++

Opening a file is as simple as creating an object. You don't need explicit closing; the destructor handles it when the object goes out of scope.

ifstream

A file stream that primarily focuses on reading data from files. (Input)

ofstream

A file stream primarily focused on writing data to files. (Output)

fstream

A file stream that can perform both input and output operations.

Time of Check - Time of Use (TOCTOU) Race Condition

A potential security issue that arises when the timing of actions and data access can lead to conflicting results. It occurs when a program checks the validity of data at one point in time, but uses that data at a later point when it might be outdated or modified by another process.

Sticky Bit in Unix Directories

A technique used to protect shared resources in multi-user environments. It involves setting the 'sticky bit' on a directory, which prevents users from deleting or renaming files within that directory unless they are the file owner or have special privileges.

Exception Handling

A programming technique where a program explicitly checks for potential errors and handles them gracefully, preventing program crashes and unexpected behavior.

C++ Core Guidelines

A set of guidelines designed to promote code quality, performance, and security in C++ development.

Race Condition

A programming error that occurs when multiple threads or processes access and modify shared resources concurrently, leading to unpredictable and potentially incorrect results.

TOCTOU (Time of Check - Time of Use)

A type of race condition where a program checks a condition and then performs an action based on that condition, but the condition might change between the check and the action.

TOCTOU Vulnerability

Vulnerabilities that exploit TOCTOU errors, leading to unpredictable program behavior, data loss, security breaches, or denial-of-service attacks.

Preventing TOCTOU Vulnerabilities

Techniques like atomic operations, locking mechanisms, and careful program design to avoid unnecessary steps. These techniques help prevent TOCTOU errors by ensuring that the system's state remains consistent during critical operations.

TOCTOU Mitigation Strategies

Strategies to minimize TOCTOU vulnerabilities, including using locks to control access to shared resources, using atomic operations where suitable, verifying resource states before performing operations, and implementing timeouts to limit the duration of critical operations.

Study Notes

Course Information

• Course name: CSC 2045
• Topic: File I/O and Race Conditions

Objectives

• Implement fixes for File I/O vulnerabilities
• Identify and analyze race conditions
• Establish rules for secure systems, preventing undefined behaviors and exploitable vulnerabilities

Agenda (Week 9)

• File names and contents
• C++ file handling
• C++ Core Guidelines for file I/O
• File input and output streams
• Alternating I/O on file streams
• Explicit file closing
• Race conditions defined
• Race condition examples
• TOCTOU errors

File Names and File Contents

• Review section 5.6: https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/file-names.html
• Review section 5.7: https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/file-contents.html
• Identify vulnerabilities in file names and contents.
• Students should respond to a vulnerability identification prompt.

C++ File Handling

• Complete the module, answering questions.
• Use std::ios_base for failure exception handling in C++11 and later.
• std::string is compatible with std::ifstream and std::ofstream file names; C-strings are not needed.

I/O Considerations

• Avoid character-level input unless necessary; it leads to error-prone and inefficient token composition.
• Consider ill-formed input during reading operations.
• Prioritize using iostreams for I/O; they are safe, flexible, and extensible.
• Usage of std::cin and std::cout is by default synchronized with printf.
• Avoid std::endl since it performs unnecessary flushes; use \n for newlines instead.

File Input and Output Streams

• File manipulation with iostreams is safer than stdio.
• File objects are managed automatically by constructors and destructors.
• Close files explicitly to prevent resource leaks; this is crucial for large programs.
• Holding resources in a long-running program can prevent other processes from accessing them.
• Failing to close files may also allow an attacker to exhaust system resources.
• Explicitly closing files ensures resources are released, improving program security and system stability. Not closing files can lead to processes being unable to access resources and system-wide issues.

Alternating I/O on File Streams

• Alternately inputting and outputting from a stream without intervening operations on the stream (such as flushes or positioning calls) results in undefined behavior.

Explicit File Closing

• Call std::basic_filebuf<T>::open() and std::basic_filebuf<T>::close() in the appropriate way.
• Close files before the last pointer that stores the return is out of scope.
• Close files before program termination.
• Failing to close files may lead to resource exhaustion and data corruption. This can also hinder other processes from accessing these files.
• Proper and timely file closure prevents resource conflicts and safeguards data integrity.

Race Conditions Defined

• Race conditions arise from changes in the order of events; the specific order may affect the program's outcome.
• Critical for proper functioning of a program is the correct execution order of events.
• Exploitable race conditions can lead to security vulnerabilities such as malicious code injection or alterations to file names.
• Race conditions can be exploited to disrupt program logic and compromise security.

Race Condition Code Vulnerability

• Race conditions occur due to unsynchronized scheduling dependencies between multiple threads.
• Unsynchronized threads can lead to unexpected and potentially harmful security outcomes, impacting sequence and correctness.
• Errors and security exploits can originate from unsynchronized thread operation within a multi-threaded program.

Race Condition Mitigated

• Developers manage thread synchronization to prevent race conditions.
• Use the atomic header file for safe access to shared data.
• Atomic types (in the atomic header) ensure thread safety by guaranteeing that access to a variable is not interrupted by another thread. This prevents data races. Using atomic data types can synchronize memory accesses among different threads, helping prevent conflicts and unpredictability.
• Efficient implementation of thread synchronization strategies like using atomic types mitigates race conditions.

Examples of Race Conditions

• Infinite loops prevent program completion.
• Deadlocks occur when resources aren't released; processes become blocked waiting for the release of resources, hindering progress.
• Resource collisions happen when multiple processes try to access the same resource simultaneously without proper synchronization, leading to resource corruption or privilege escalations; this can cause errors and uncontrolled changes to data.
• Resource conflicts and unexpected situations due to improper synchronization create vulnerabilities.
• Examples include infinite loops, deadlocks, and resource collisions. (Detailed examples provided in the notes, including infinite loops, deadlocks, and resource collisions impacting program functioning)

Time Check Versus Time of Use

• Applications often check conditions before acting, like verifying a file exists before writing to it.
• A gap between the check and action can lead to vulnerabilities; this gap can be exploited by a malicious actor.
• This is a time-of-check to time-of-use (TOCTOU) error.
• TOCTOU errors exploit the temporal difference between checking and using a resource.

TOCTOU

• TOCTOU errors are race conditions.
• Time-of-check is when a process checks a shared resource; this check might return true at the TOC. A condition might be true at this one point in time.
• Time-of-use is when a process uses a shared resource; this use might happen after the state of the resource changes, rendering the prior check invalid. The true state at time of use might not be the observed state at the time of check.
• State changes between TOC and TOU invalidate prior checks and can result in unexpected behavior and potentially security exploits.
• TOCTOU vulnerabilities might allow an attacker to exploit the gap between the checking and using of a resource, degrading the security of a program.
• The vulnerability stems from a race condition in which a resource changes state between a check and a use.

Avoid Race Conditions

• Review Section 7.11: https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html
• Implementing correct resource management and synchronisation is crucial for preventing race conditions. Understanding various types of race conditions allows for better preparedness and mitigation.