...
Conformance of File Functions to Criteria for Temporary Files
|
|
|
|
|
| |
|---|---|---|---|---|---|---|
Unpredictable Name | Not portably | Yes | Not portably | Yes | Not portably | Not portably |
Unique Name | Yes | Yes | Yes | Yes | Yes | Yes |
Atomic open | No | No | Yes | Yes | No | Yes |
Exclusive Access | Possible | Possible | No | If supported by OS | Possible | If supported by OS |
Appropriate Permissions | Possible | Possible |
If supported by OS* | If supported by OS | Possible | Not portably | |||
File Removed | No | No | Yes* | Yes* | No | No |
* If the program terminates abnormally, this behavior is implementation-defined.
...
In many older implementations, the name is a function of process ID and time, so it is possible for the attacker to predict the name and create a decoy in advance. FreeBSD changed the mk*temp() family to eliminate the process ID component of the file name and replace the entire field with base-62 encoded randomness. This raises the number of possible temporary files for the typical use of six X's significantly, meaning that even mktemp() with six X's is reasonably (probabilistically) secure against guessing except under frequent usage [Kennaway 2000].
Exceptions
FIO21-C-EX1: The Annex K tmpfile_s() function can be used if all the targeted implementations create temporary files in secure directories.
...
Insecure temporary file creation can lead to a program accessing unintended files and permission escalation on local systems.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO21-C |
Medium | Probable | Medium |
P8 |
L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| BADFUNC.TEMP.* BADFUNC.TMPFILE_S BADFUNC.TMPNAM_S | A collection of checks that report uses of library functions associated with temporary file vulnerabilities |
Use of tmpfile_s Use of tmpnam_s |
| Compass/ROSE |
Can detect violations of this recommendation. Specifically, Rose reports use of | |||
| Coverity | 6.5 | SECURE_TEMP | Fully |
| implemented | |||||||||
| Helix QAC |
| C5016 | |||||||
| LDRA tool suite |
| 44 S | Enhanced |
enforcement |
| Parasoft C/C++test |
|
| CERT_C-FIO21-a | Usage of functions prone to race is not allowed | |||||||
| Polyspace Bug Finder |
| CERT C: Rec. FIO21-C | Checks for non-secure temporary file (rec. partially covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C Secure Coding Standard | FIO15-C. Ensure that file operations are performed in a secure directory |
| SEI CERT C++ Coding Standard | VOID FIO19-CPP. Do not create temporary files in shared directories |
| CERT Oracle Secure Coding Standard for Java | FIO03-J. Remove temporary files before termination |
| ISO/IEC TR 24772:2013 | Path Traversal [EWR] |
| MITRE CWE | CWE-379, Creation of temporary file in directory with insecure permissions |
Bibliography
| [HP 2003] |
| [IEEE Std 1003.1:2013] | XSH, System Interfaces: openXSH, System Interfaces: mkdopen, mksopen |
| [ISO/IEC 9899:2011] | Subclause K.3.5.1.2, "The tmpnam_s Function"Subclause 7.21.4.4, "The tmpnam Function |
| [Kennaway 2000] |
| [Open Group 2004] | open() |
| [Seacord 2013] | Chapter 3, "Pointer Subterfuge" Chapter 8, "File I/O" |
| [Viega 2003] | Section 2.1, "Creating Files for Temporary Use" |
| [Wheeler 2003] | Chapter 7, "Structure Program Internals and Approach" |
...
...