My UW | UW Search

   
   

Computer Science Home Page
> mist
>> safefile

Current & Recent Events

Vulnerability Assessment

Secure Programming

Papers and Reports

Tutorials and Presentations

People

MIST Wiki (internal)

UAB Logo
UW-Madison
Computer Sciences Dept.

Safefile Library and Documentation

Careless attention to opening files, often caused by problems with path traversal or shared directories, can expose applications to attacks on the file names that they use. In this paper we present criteria to determine if a path is safe from attack and how previous algorithms are not sufficient to protect against such attacks. We then describe an algorithm to safely open a file when in the presence of an attack (and how to detect the presence of such an attack), and provide a new library of file open routines that embodies our algorithm. These routines can be used as one-for-one substitutes for conventional POSIX open and fopen calls.

  • James A. Kupsch and Barton P. Miller, "How to Open a File and Not Get Hacked (extended version)", MIST Project Technical Report, March 2008. [pdf].

  • James A. Kupsch and Barton P. Miller, "How to Open a File and Not Get Hacked", 2008 Third International Conference on Availability, Reliability and Security (ARES), Barcelona, Spain, March 2008. [pdf].

  • ARES 2008 presentation [pdf].

  • Safefile library implements the ideas in the paper:

  • Safefile man pages.

 
Computer Sciences | UW Home

Feedback or content questions: send email to "kupsch" at the cs.wisc.edu server
Technical or accessibility issues: lab@cs.wisc.edu
Copyright © 2009 The Board of Regents of the University of Wisconsin System.