File names on many operating systems, including Windows and UNIX, may be used to access special files, which are actually devices. Reserved Microsoft Windows device names include
LPT1 or paths using the
\\.\ device namespace. Device files on UNIX systems are used to apply access rights and to direct operations on the files to the appropriate device drivers.
Performing operations on device files that are intended for ordinary character or binary files can result in crashes and denial-of-service attacks. For example, when Windows attempts to interpret the device name as a file resource, it performs an invalid resource access that usually results in a crash [Howard 2002].
Device files in UNIX can be a security risk when an attacker can access them in an unauthorized way. For example, if attackers can read or write to the
/dev/kmem device, they may be able to alter the priority, UID, or other attributes of their process or simply crash the system. Similarly, access to disk devices, tape devices, network devices, and terminals being used by other processes can lead to problems [Garfinkel 1996].
On Linux, it is possible to lock certain applications by attempting to open devices rather than files. Consider the following example:
A Web browser that failed to check for these devices would allow an attacker to create a website with image tags such as
<IMG src="file:///dev/mouse"> that would lock the user's mouse [Howard 2002].
Noncompliant Code Example
In this noncompliant code example, the user can specify a locked device or a FIFO (first-in, first-out) file name, which can cause the program to hang on the call to
Compliant Solution (POSIX)
POSIX defines the
O_NONBLOCK flag to
open(), which ensures that delayed operations on a file do not hang the program [IEEE Std 1003.1:2013].
When opening a FIFO with
O_NONBLOCKis set, an
open()for reading-only returns without delay. An
open()for writing-only returns an error if no process currently has the file open for reading.
O_NONBLOCKis clear, an
open()for reading-only blocks the calling thread until a thread opens the file for writing. An
open()for writing-only blocks the calling thread until a thread opens the file for reading.
When opening a block special or character special file that supports nonblocking opens:
O_NONBLOCKis set, the
open()function returns without blocking for the device to be ready or available; subsequent behavior is device-specific.
O_NONBLOCKis clear, the
open()function blocks the calling thread until the device is ready or available before returning.
Otherwise, the behavior of
Once the file is open, programmers can use the POSIX
fstat() functions to obtain information about a file and the
S_ISREG() macro to determine if the file is a regular file.
Because the behavior of
O_NONBLOCK on subsequent calls to
write() is unspecified, it is advisable to disable the flag after it has been determined that the file in question is not a special device.
When available (Linux 2.1.126+, FreeBSD, Solaris 10, POSIX.1-2008), the
O_NOFOLLOW flag should also be used. (See POS01-C. Check for the existence of links when dealing with files.) When
O_NOFOLLOW is not available, symbolic link checks should use the method from POS35-C. Avoid race conditions while checking for the existence of a symbolic link.
This code contains an intractable TOCTOU (time-of-check, time-of-use) race condition under which an attacker can alter the file referenced by
file_name following the call to
lstat() but before the call to
open(). The switch will be discovered after the file is opened, but opening the file cannot be prevented in the case where this action itself causes undesired behavior. (See FIO45-C. Avoid TOCTOU race conditions while accessing files for more information about TOCTOU race conditions.)
Essentially, an attacker can switch out a file for one of the file types shown in the following table with the specified effect.
File Types and Effects
Note on Effect
Another regular file
To be compliant with this rule and to prevent this TOCTOU race condition,
file_name must refer to a file in a secure directory. (See FIO15-C. Ensure that file operations are performed in a secure directory.)
Noncompliant Code Example (Windows)
This noncompliant code example uses the
GetFileType() function to attempt to prevent opening a special file:
Although tempting, the Win32
GetFileType() function is dangerous in this case. If the file name given identifies a named pipe that is currently blocking on a read request, the call to
GetFileType() will block until the read request completes. This provides an effective attack vector for a denial-of-service attack on the application. Furthermore, the act of opening a file handle may cause side effects, such as line states being set to their default voltage when opening a serial device.
Compliant Solution (Windows)
Microsoft documents a list of reserved identifiers that represent devices and have a device namespace to be used specifically by devices [MSDN]. In this compliant solution, the
isReservedName() function can be used to determine if a specified path refers to a device. Care must be taken to avoid a TOCTOU race condition when first testing a path name using the
isReservedName() function and then later operating on that path name.
Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the
Protect against file name injection
|Polyspace Bug Finder|
|CERT C: Rule FIO32-C||Checks for inappropriate I/O operation on device files (rule partially covered)|
|4921, 4922, 4923||Enforced by QAC|
4921, 4922, 4923
Key here (explains table format and definitions)
|CERT C Secure Coding Standard||FIO05-C. Identify files using multiple file attributes||Prior to 2018-01-12: CERT: Unspecified Relationship|
|CERT C Secure Coding Standard||FIO15-C. Ensure that file operations are performed in a secure directory||Prior to 2018-01-12: CERT: Unspecified Relationship|
|CERT C Secure Coding Standard||POS01-C. Check for the existence of links when dealing with files||Prior to 2018-01-12: CERT: Unspecified Relationship|
|CERT C Secure Coding Standard||POS35-C. Avoid race conditions while checking for the existence of a symbolic link||Prior to 2018-01-12: CERT: Unspecified Relationship|
|CERT Oracle Secure Coding Standard for Java||FIO00-J. Do not operate on files in shared directories||Prior to 2018-01-12: CERT: Unspecified Relationship|
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-67 and FIO32-C
FIO32-C = Union( CWE-67, list) where list =
- Treating trusted device names like regular files in Windows.
- Treating device names (both trusted and untrusted) like regular files in POSIX
|[Garfinkel 1996]||Section 5.6, "Device Files"|
|[Howard 2002]||Chapter 11, "Canonical Representation Issues"|
|[IEEE Std 1003.1:2013]||XSH, System Interfaces, |