Title
[filesys.ts] [PDTS] Concerns with security and testability
Status
nad future
Section
[fs.scope]
Submitter
Google

Created on 2014-01-20.00:00:00 last changed 106 months ago

Messages

Date: 2016-01-28.01:00:35

[ 17 Jun 2014 Rapperswil LWG agrees NAD, Future with rationale as stated above. ]

Date: 2016-01-31.20:31:05

Addresses: filesys.ts

We have two primary concerns with the interface as specified:

(a) its interface repeats the mistake of V7 Unix in 1979 by exposing access checking (and similarly file creation) independently from opening and mutating the file, and

(b) it provides no realistic means of testing a software library which uses the standard interface for accessing the filesystem under fault scenarios.

Due to the extent of (a), TOCTTOU [1] security vulnerabilities are guaranteed, if not during access checking[2], during other common operations such as temporary file creation[3].

Due to (b) it is impossible to portably test libraries using the proposed interface against critical correctness and security edge cases.

[1]: TOCTTOU: Time-of-check-to-time-of-use.  Operating system integrity in OS/VS2

[2]: Fixing Races for Fun and Profit: How to use access(2)

[3]: Checking for Race Conditions in File Accesses

[Beman Dawes: 10 Feb 2014: Suggested response: NAD, Future]

We share your concerns and look forward to receiving specific proposals to address them. Whether they will addressed by a revision of TS 18822 or a new TS will be decided as proposals progress through the committee process. See How To Submit a Proposal.

History
Date User Action Args
2016-01-28 01:00:35adminsetmessages: + msg7888
2014-01-20 00:00:00admincreate