A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
Posted Dec 13, 2012 20:36 UTC (Thu) by masoncl (subscriber, #47138)Parent article: A hash-based DoS attack on Btrfs
But the looping is a real problem, and Pascal did a great job writing it up.
-chris
Posted Dec 13, 2012 21:46 UTC (Thu)
by rahulsundaram (subscriber, #21946)
[Link] (23 responses)
Posted Dec 13, 2012 22:14 UTC (Thu)
by masoncl (subscriber, #47138)
[Link] (22 responses)
I'm certainly happy to add a second hash function if there is a strong case for it, but so far I'm not convinced ;)
-chris
Posted Dec 13, 2012 22:52 UTC (Thu)
by therealmik (guest, #87720)
[Link] (20 responses)
While I guess server software, such as web servers, samba, etc could always store a random filename then create an index for it in a database, that's exactly what a directory is supposed to be doing anyway - and the database probably has the same vulnerability in whatever hash it uses.
So assuming that you come around to the fact that filename hash collisions are a bad thing, it leads us to:
- Directories probably need a random hash seed for their index (one for the whole FS probably won't cut it)
Posted Dec 13, 2012 23:06 UTC (Thu)
by masoncl (subscriber, #47138)
[Link] (19 responses)
1) Users share writable directories (either with each other or with admins)
Right?
Posted Dec 13, 2012 23:20 UTC (Thu)
by man_ls (guest, #15091)
[Link]
I would discard the original name and use a random filename, unless for some reason the original name was valuable for anything (e.g. for later user selection). Such use cases do exist, and besides there are many software packages that work this way. That using a new shiny filesystem would automatically convert them from ugly software to DoS targets is not admissible IMO.
Posted Dec 14, 2012 0:20 UTC (Fri)
by cyanit (guest, #86671)
[Link] (17 responses)
In addition to SipHash, taking the latest 64 bits of AES-CBC ciphertext of the zero-terminated filename should work and might be faster if the CPU can accelerate AES.
Posted Dec 14, 2012 0:48 UTC (Fri)
by wahern (subscriber, #37304)
[Link] (16 responses)
Siphash was designed for this exact scenario. Dan Bernstein isn't known for his lack of performance insights. The paper has gobs of analysis of performance characteristics.
Using a CRC as a hash is just stupid. And I say that as someone who learned that the hard way. People only used it because of the lack of a decent alternative--newer hashes like murmur, etc, didn't have enough proven guarantees to inspire confidence. Siphash was designed to be _the_ go to hash for data structures, with both decent performance and a rigorous security analysis.
Posted Dec 14, 2012 2:06 UTC (Fri)
by masoncl (subscriber, #47138)
[Link] (7 responses)
This isn't a new issue, reiserfs had a similar hashing scheme. Other hashes are different, but crc32c is implemented in hardware on newer CPUs, so there is a real performance benefit here.
-chris
Posted Dec 14, 2012 2:21 UTC (Fri)
by therealmik (guest, #87720)
[Link] (6 responses)
Another example would be somebody just wanting to hog a lot of in-kernel CPU time, and causing conflicts with their own filename, even though they're rate-limited by higher-level schemes (eg. server-level rate-limits).
Creating a conflict with a lock file created in the same directory is probably another example.
As a previous poster alluded, crc32c is good for detecting random corruption, not for hash tables or malicious corruption.
The CPU implementation of crc32c argument is also deeply flawed - extra tree walks are not worth the few cycles saved, as tree walks are vastly more expensive.
Remember that hash tables are only O(1) in a "perfect hash" scenario, so the hash table performance approaches what you'd expect from O(n) as the hash gets worse.
Posted Dec 14, 2012 3:30 UTC (Fri)
by davidescott (guest, #58580)
[Link] (5 responses)
Chris (if you are still monitoring the thread),
Given the current on disk layout where would the introduction of protections against this kind of attack introduce btrfs2?
Posted Dec 14, 2012 12:35 UTC (Fri)
by masoncl (subscriber, #47138)
[Link] (4 responses)
Salting etc are also more than possible. I personally don't think the hash makes the shared directories in any way secure, but I've been wrong many times before ;)
Posted Dec 14, 2012 16:09 UTC (Fri)
by cesarb (subscriber, #6266)
[Link]
But if the hash output is visible via telldir, the attacker can still find out the salt unless you are using strong crypto, which would not be very good for performance. I think the hash output is not visible via telldir on the ext* family.
You could play games like having a per-directory randomly chosen salt, but if you are getting to that point IMHO it is better to work on making the algorithms robust against degenerate edge cases.
Posted Dec 14, 2012 17:01 UTC (Fri)
by davidescott (guest, #58580)
[Link] (2 responses)
Hopefully nobody exports a "tell/read/seekdir" interface over php.
Posted Dec 14, 2012 17:35 UTC (Fri)
by dakas (guest, #88146)
[Link] (1 responses)
A CRC is not a cryptographic hash. Salting is useless, and identical prefixes have identical impact on the result.
Posted Dec 14, 2012 21:56 UTC (Fri)
by masoncl (subscriber, #47138)
[Link]
Posted Dec 14, 2012 2:13 UTC (Fri)
by cyanit (guest, #86671)
[Link] (7 responses)
Posted Dec 14, 2012 2:54 UTC (Fri)
by cyanit (guest, #86671)
[Link] (6 responses)
However, if other instructions can be scheduled by the out-of-order CPU in the meantime, then AES should be much faster, since the reciprocal throughput is actually 10 cycles on Sandy Bridge and should only take up one execution unit.
Without AES instructions things are most likely reversed.
Posted Dec 14, 2012 11:23 UTC (Fri)
by daniel (guest, #3181)
[Link] (4 responses)
Posted Dec 14, 2012 15:27 UTC (Fri)
by drag (guest, #31333)
[Link] (3 responses)
Posted Dec 15, 2012 2:11 UTC (Sat)
by daniel (guest, #3181)
[Link] (2 responses)
The most important result here is not the inappropriateness of CRC as a hash, but that Btrfs is a complex beast, still in development, a critical bug was just exposed, and likely a few more remain. Given wide enough testing and continued developer commitment it will become stable, but today it is not. From where I sit, it looks like Ext4 will be wearing its standard Linux filesystem crown for some time yet.
Posted Dec 15, 2012 6:17 UTC (Sat)
by SEJeff (guest, #51588)
[Link]
Posted Dec 15, 2012 13:18 UTC (Sat)
by vonbrand (subscriber, #4458)
[Link]
From a cursory look over, I'd say 220 *minutes* isn't just a bad hash degenerating to a linear search...
Posted Dec 15, 2012 2:46 UTC (Sat)
by wahern (subscriber, #37304)
[Link]
Posted Dec 14, 2012 10:30 UTC (Fri)
by robert_s (subscriber, #42402)
[Link]
Posted Dec 15, 2012 8:19 UTC (Sat)
by eupator (guest, #44581)
[Link] (1 responses)
The problem is far from being limited to such case. Besides the already mentioned unpacking of archives, mirroring remote directories is very common - consider rsync, recursive wget, or version control systems.
Posted Dec 15, 2012 17:49 UTC (Sat)
by Karellen (subscriber, #67644)
[Link]
Create a Linux patch series, preferably btrfs-related patches for maximum lulz, whose git SHA-1 ids (any blob, tree, or commit ids should be fine) end up generating filenames in the same object-subdirectory with CRC32 collisions, and send a pull request to lkml.
Hilarity ensues!
The object-subdirectory requirement means there's a 40-bit keyspace to search, rather than 32-bit, but one could probably find enough whitespace/punctuation entropy in comments to generate enough collisions to produce at least some effect, even if you can't find enough to lock up a system.
Also, AIUI, pull requests are unconventional and might be ignored, but if you send the patch series directly to the list, the implicit rebasing will destroy the object ids (and therefore the collisions) - unless all the collisions are in file blobs and none of the files have been touched before your patches are applied.
Anyone any idea how plausible/expensive that attack would be?
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
- crc is not an appropriate hash, as even with a random seed an attacker can still cause collisions
A hash-based DOS attack on Btrfs
2) Blocking the creation of specific filenames causes problems
3) Blocking the creation of those filenames by creating a file with that name is not an issue
You are describing basically a server with file upload enabled, for example to upload user avatars. If the file already exists, just append .1 at the end and use that modified name as the key instead.
File uploads
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
How would one go about strengthening the FS and making it more resistant to these kinds of attacks? I gather that BTRFS is capable of supporting other hashes -- what are the various options down the road? It it an option at filesystem creation time to use a more collision resistant hash? How big a hash can one use? If one had a hardware SHA-512 and wanted to waste the disk space could they? Are there ways to salt hashes using something secret in the directory structure? Could the Hash be replaced with red-black trees etc?
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
A hash-based DOS attack on Btrfs
> the hash. At the end of the day, I think that if someone has write
> permissions to your directory they can prevent creation of arbitrary files.
A hash-based DOS attack on Btrfs