Title: Paper notes: Midas: Systematic Kernel TOCTTOU Protection Date: 2022-09-10 16:30 - Complete title: Midas: Systematic Kernel TOCTTOU Protection - PDF: [310cd6ee26f6804946ef4c22b95c422a075d062f_sec22-bhattacharyya.pdf]({static}/files/papers/310cd6ee26f6804946ef4c22b95c422a075d062f_sec22-bhattacharyya.pdf) Yet another cool paper from the [HexHive](https://hexhive.epfl.ch) people ([Mathias Payer](https://en.wikipedia.org/wiki/Mathias_Payer) ♥) with [Uroš Tešić from Nvidia](https://github.com/UrosTesic). The main idea is to mitigate [TOCTTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) on Linux happening in kernel-land when accessing userland by making accessed userspace objects invariable through syscalls lifetime, by instrumenting functions like `copy_from_user`/`copy_to_user`/`mm_populate`/… and making use of page tables faults to detect writes. 1. Snapshot page on first read. 2. Read from snapshot on future reads. 3. Duplicate page on concurrent writes. 4. Discard snapshot when syscall finishes. 5. Commit the last written to page. The paper details some special edge-cases that have to be taken care of, like confused-deputy problems, weird drivers, double-mappings, `execve`, `futex`, `rt_sigaction`, … The measured performance impact is around 3.4% on the [Phoronix Test Suite](https://www.phoronix-test-suite.com), 3.7% on the [NAS Parallel Benchmarks](https://en.wikipedia.org/wiki/NAS_Parallel_Benchmarks), albeit more worrying numbers like 13-14% impact on nginx have been observed in some particular configurations. It's overall a simple'n'cool idea, albeit it'll wreak havoc in production by breaking vulnerable-but-working code, so it might be wise to run it on syzkaller for a while, before considering using it. The code has of course [been published](https://hexhive.epfl.ch/midas), and the paper was [part of](https://www.usenix.org/conference/usenixsecurity22/presentation/bhattacharyya) the [31st USENIX Security Symposium](https://www.usenix.org/conference/usenixsecurity22).