<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Issue 2654: [filesys.ts] [PDTS] Concerns with security and testability</title>
<meta property="og:title" content="Issue 2654: [filesys.ts] [PDTS] Concerns with security and testability">
<meta property="og:description" content="C++ library issue. Status: NAD Future">
<meta property="og:url" content="https://cplusplus.github.io/LWG/issue2654.html">
<meta property="og:type" content="website">
<meta property="og:image" content="http://cplusplus.github.io/LWG/images/cpp_logo.png">
<meta property="og:image:alt" content="C++ logo">
<style>
  p {text-align:justify}
  li {text-align:justify}
  pre code.backtick::before { content: "`" }
  pre code.backtick::after { content: "`" }
  blockquote.note
  {
    background-color:#E0E0E0;
    padding-left: 15px;
    padding-right: 15px;
    padding-top: 1px;
    padding-bottom: 1px;
  }
  ins {background-color:#A0FFA0}
  del {background-color:#FFA0A0}
  table.issues-index { border: 1px solid; border-collapse: collapse; }
  table.issues-index th { text-align: center; padding: 4px; border: 1px solid; }
  table.issues-index td { padding: 4px; border: 1px solid; }
  table.issues-index td:nth-child(1) { text-align: right; }
  table.issues-index td:nth-child(2) { text-align: left; }
  table.issues-index td:nth-child(3) { text-align: left; }
  table.issues-index td:nth-child(4) { text-align: left; }
  table.issues-index td:nth-child(5) { text-align: center; }
  table.issues-index td:nth-child(6) { text-align: center; }
  table.issues-index td:nth-child(7) { text-align: left; }
  table.issues-index td:nth-child(5) span.no-pr { color: red; }
  @media (prefers-color-scheme: dark) {
     html {
        color: #ddd;
        background-color: black;
     }
     ins {
        background-color: #225522
     }
     del {
        background-color: #662222
     }
     a {
        color: #6af
     }
     a:visited {
        color: #6af
     }
     blockquote.note
     {
        background-color: rgba(255, 255, 255, .10)
     }
  }
</style>
</head>
<body>
<hr>
<p><em>This page is a snapshot from the LWG issues list, see the <a href="lwg-active.html">Library Active Issues List</a> for more information and the meaning of <a href="lwg-active.html#NAD_Future">NAD Future</a> status.</em></p>
<h3 id="2654"><a href="lwg-closed.html#2654">2654</a>. [filesys.ts] [PDTS] Concerns with security and testability</h3>
<p><b>Section:</b> 1 [filesys.ts::fs.scope] <b>Status:</b> <a href="lwg-active.html#NAD_Future">NAD Future</a>
 <b>Submitter:</b> Google <b>Opened:</b> 2014-01-20 <b>Last modified:</b> 2016-08-11</p>
<p><b>Priority: </b>Not Prioritized
</p>
<p><b>View all other</b> <a href="lwg-index.html#filesys.ts::fs.scope">issues</a> in [filesys.ts::fs.scope].</p>
<p><b>View all issues with</b> <a href="lwg-status.html#NAD Future">NAD Future</a> status.</p>
<p><b>Discussion:</b></p>
<p><b>Addresses: filesys.ts</b></p>
  <p>We have two primary concerns with the interface as specified: </p>
  <p>
    (a) its interface repeats the mistake of V7 Unix in 1979 by exposing access
    checking (and similarly file creation) independently from opening and mutating
    the file, and
  </p>
  <p>
    (b) it provides no realistic means of testing a software library which uses
    the standard interface for accessing the filesystem under fault scenarios.
  </p>
  <p>
    Due to the extent of (a), TOCTTOU [1] security vulnerabilities are
    guaranteed, if not during access checking[2], during other common operations
    such as temporary file creation[3].
  </p>
  <p>
    Due to (b) it is impossible to portably test libraries using the proposed
    interface against critical correctness and security edge cases.
  </p>
  <p>
    [1]: TOCTTOU: Time-of-check-to-time-of-use.&nbsp;
    <a href="http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&amp;arnumber=5388162">Operating system integrity in OS/VS2</a>
  </p>
      <p>[2]: <a href="http://www.csl.sri.com/users/ddean/papers/usenix04.pdf">Fixing Races for Fun and Profit: How to use access(2)</a></p>
      <p>[3]: <a href="http://www.cs.ucdavis.edu/research/tech-reports/1995/CSE-95-10.pdf">Checking for Race Conditions in File Accesses</a></p>

  <p/>
  
  <i>[Beman Dawes: 10 Feb 2014: Suggested response: NAD, Future]</i>

  <blockquote>
    <p/>We share your concerns and look forward to receiving specific proposals to address them.
    Whether they will addressed by a revision of TS 18822 or a new TS will be decided as proposals progress
    through the committee process. See <a href="http://isocpp.org/std/submit-a-proposal">How To Submit a Proposal</a>.
  </blockquote>
  <p><i>[17 Jun 2014 Rapperswil LWG agrees NAD, Future with rationale as stated above.]</i></p>




<p id="res-2654"><b>Proposed resolution:</b></p>
<p></p>





</body>
</html>
