a control point for reducing root abuse of file system
play

A Control Point for Reducing Root Abuse of File-System Privileges - PowerPoint PPT Presentation

Jan 12, 2023 •264 likes •527 views

Introduction Solution for the Desktop A Control Point for Reducing Root Abuse of File-System Privileges Glenn Wurster , Paul C. van Oorschot School of Computer Science Carleton University, Canada 6 Oct 2010 Glenn Wurster, Paul C. van Oorschot

  1. Introduction Solution for the Desktop A Control Point for Reducing Root Abuse of File-System Privileges Glenn Wurster , Paul C. van Oorschot School of Computer Science Carleton University, Canada 6 Oct 2010 Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 1/ 24

  2. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Problem Root privileged processes can arbitrarily modify the system Solution Don’t run as root Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 2/ 24

  3. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Re-phrasing the requirements On the desktop, we should treat two applications as mutually untrustworthy. During install, upgrade, uninstall, and 1 run-time. The paper concentrates only on the 2 file-system. Allow file-system reads, but don’t allow modifications. Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 3/ 24

  4. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Other Approaches to Divide Root e.g., SELinux dpkg given almost total control over the file-system Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 4/ 24

  5. Introduction Solution for the Desktop Separation of Duties Installer Frameworks T wo States Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 5/ 24

  6. Introduction Solution for the Desktop Separation of Duties Installer Frameworks T wo States, Many Users Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 6/ 24

  7. Introduction Solution for the Desktop Separation of Duties Installer Frameworks T wo States, Many Applications Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 7/ 24

  8. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Our focus Configuration related files: Modified during configuration, not during day-to-day use 1 We focus on system-wide configuration files 2 Files most commonly modified through install, upgrade, and uninstall Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 8/ 24

  9. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Application Installers Run a Script or Binary Provided by application author 1 Usually run as Administrator 2 e.g., make install , self-extracting 3 ZIP Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 9/ 24

  10. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Application Packages sudo apt-get install <package> Typically, become root and run 1 package manager Package manager runs scripts in 2 package Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 10/ 24

  11. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Application Bundles Drag and Drop Drag to the destination folder 1 No scripts run during install 2 Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 11/ 24

  12. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Google Android Self Signing Isolate update to just the package 1 No scripts run during install 2 Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 12/ 24

  13. Introduction Solution for the Desktop Separation of Duties Installer Frameworks GoboLinux Don’t modify files during 1 upgrade Redesign the file-system 2 hierarchy Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 13/ 24

  14. Introduction Solution for the Desktop Separation of Duties Installer Frameworks GoboLinux - Restricting Scripts Restricting Scripts Script has write access to 1 build source and install destination Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 14/ 24

  15. Introduction Solution for the Desktop Separation of Duties Installer Frameworks Application Installer Goal Encapsulates User Friendly FS Hierarchy Separation Agnostic Upgrade Scripts Config Method � � � � Installer Package � � � � � Bundle � � � Android � � � � GoboLinux � � � � Goal � � � � � � Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 15/ 24

  16. Introduction Solution for the Desktop Breakdown of Separation Configuration related files: 1 Identified as c-locked , protected by kernel Encapsulating configuration of applications: 2 Delegated to a user-space app called configd Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 16/ 24

  17. Introduction Solution for the Desktop The Control Point Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 17/ 24

  18. Introduction Solution for the Desktop What can be c-locked? Store the c-locking flag in the inode, protecting: Files 1 Symbolic Links 2 Hard Links 3 Directories 4 Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 18/ 24

  19. Introduction Solution for the Desktop The Prototype: GoboLinux + Debian Linux Files in the package are segregated by 1 Debian’s dpkg Scripts are restrained using an approach 2 similar to GoboLinux File-system hierarchy is same as standard 3 Debian Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 19/ 24

  20. Introduction Solution for the Desktop The Prototype: Restricting Applications Restricting Installers We likely don’t have a custom security 1 policy for the program being installed We’re not working with security experts 2 Enforcement Continue enforcement past install 1 Any application gaining root should not be 2 able to modify the system Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 20/ 24

  21. Introduction Solution for the Desktop Philosophizing T wo options for restricting installers Don’t run installers as root; or 1 Don’t give root all the privileges it 2 currently gets Shifting to not run installers as root Users automatically become root to install 1 Applications still sometimes get root 2 privileges ’Root’ does not distinguish between 3 configuration and day-to-day use Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 21/ 24

  22. Introduction Solution for the Desktop Prototype Implementation Extended the Linux kernel to enforce 1 c-locked flag Used extended attribute functionality Any file in a package is marked as c-locked Extended dpkg to work with configd 2 Ran install scripts with a restricted UID 3 Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 22/ 24

  23. Introduction Solution for the Desktop Prototype Evaluation Performance overhead ≤ 4 . 8 % 1 Malware prevented from modifying core 2 c-locked system binaries Satisfied design goals 3 Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 23/ 24

  24. Introduction Solution for the Desktop A Control Point for Reducing Root Abuse of File-System Privileges Glenn Wurster, Paul C. van Oorschot http://ccsl.carleton.ca Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 24/ 24

  25. Introduction Solution for the Desktop Slide References Projects: - http://www.debian.org/ - http://www.gobolinux.org/ Images: - http://www.mypointless.com/2009/05/more-headlines-of-obvious.html http://en.wikivisual.com/index.php/Key_(lock) - - http://zarious.deviantart.com/art/Spy-vs-Spy-WallPaper-2560X1024-115603200 - http://websvn.kde.org/trunk/kdesupport/oxygen-icons/scalable/apps/ - http://arstechnica.com/open-source/reviews/2010/07/android-22-froyo.ars/ - http://www.android.com/media/ - http://www.directindustry.com/prod/norma-group/exhaust-pipe-clamp-15287-33925.html - http://www.codeproject.com/kb/WPF/TheWpfThoughtProcess.aspx - http://www.multiplaying.net/2009/07/29/slurms-pondering-of-the-day4/ - http://www.cs.gettysburg.edu/~tneller/mazes/oskar4bit/arduino.html Glenn Wurster, Paul C. van Oorschot Reducing Root Abuse 25/ 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UNIX File System UNIX File System The UNIX file system has a hierarchical tree structure with

UNIX File System UNIX File System The UNIX file system has a hierarchical tree structure with

UNIX File System UNIX File System The UNIX file system has a hierarchical tree structure with Every directory always has two standard entries. the top in root . The name . in each directory refers to the directory itself. The name

339 views • 8 slides
Tutorial on Root Server System Root Server System Advisory Committee | October 2015 Outline 1.

Tutorial on Root Server System Root Server System Advisory Committee | October 2015 Outline 1.

Tutorial on Root Server System Root Server System Advisory Committee | October 2015 Outline 1. Overview of Domain Name System 2. History of Root Server System 3. Root Server System today &amp; Its Features 4. Recent RSSAC Activities | 2

667 views • 38 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
File System Architecture APP APP APP APP Metad adat ata S a Service metadata operations

File System Architecture APP APP APP APP Metad adat ata S a Service metadata operations

B ATCH FS Scaling the File System Control Plane with Client-Funded Metadata Servers [ vision-paper ] Qing Zheng, Kai Ren, Garth Gibson Carnegie Mellon University 9 th Parallel Data Storage Workshop/SC 2014 File System Architecture APP APP

563 views • 38 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Overview Last Week: Efficiency read/write The File Unix System Programming File

Overview Last Week: Efficiency read/write The File Unix System Programming File

Overview Last Week: Efficiency read/write The File Unix System Programming File pointer File control/access Directories and File System This Week: How to program with directories Brief introduction to the UNIX file system

247 views • 8 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe 2016, 12.10.2016 Marc Kleine-Budde &lt;mkl@pengutronix.de&gt; Slide 1 - http://www.pengutronix.de - 13.10.2016 Why Verified Boot? Attractive hacking

774 views • 20 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
Substance Abuse Prevention and Control Prevention System of Services Prevention Program Efforts

Substance Abuse Prevention and Control Prevention System of Services Prevention Program Efforts

Substance Abuse Prevention and Control Prevention System of Services Prevention Program Efforts Yolanda Cordero, MPA Chief, Prevention Services, Substance Abuse Prevention &amp; Control 1 Prevention Program Efforts Rethinking Access to

418 views • 17 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File System ELC Europe 2017, 23.10.2017 Marc Kleine-Budde &lt;mkl@pengutronix.de&gt; Slide 1 - http://www.pengutronix.de - 2017-10-23 Overview ARM

1.06k views • 18 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi

New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi

Intro SelfSimilar New Summary New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi Shamir Eurocrypt 2020 Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 1/ 28 Intro SelfSimilar

819 views • 40 slides
Script for 10 Things PIs Need to Know video module View Script 1 You got a grant! 2

Script for 10 Things PIs Need to Know video module View Script 1 You got a grant! 2

Script for 10 Things PIs Need to Know video module View Script 1 You got a grant! 2 [animation money bag appears] [SFX: bag of coins hitting the ground] 3 Now what? 4 here are the top 10 things PIs need to know 5 Lets get

161 views • 3 slides
ProtoDUNE prototype TPC self-trigger Philip Rodrigues University of Oxford 24 September 2019 1

ProtoDUNE prototype TPC self-trigger Philip Rodrigues University of Oxford 24 September 2019 1

ProtoDUNE prototype TPC self-trigger Philip Rodrigues University of Oxford 24 September 2019 1 A self-triggered muon parallel to the APA face Run 9619, event 6 (timestamp 0x1168a5f24e41158, 2019-09-09 15:41:35 UTC) Z view U view V view

716 views • 30 slides
Don't repeat yourself CREATIN G ROBUS T P YTH ON W ORK F LOW S Martin Skarzynski Co-Chair,

Don't repeat yourself CREATIN G ROBUS T P YTH ON W ORK F LOW S Martin Skarzynski Co-Chair,

Don't repeat yourself CREATIN G ROBUS T P YTH ON W ORK F LOW S Martin Skarzynski Co-Chair, Foundation for Advanced Education in the Sciences (FAES) What will you learn? Learning Objectives: Develop your own personal workow Steps you take

792 views • 38 slides
Oklo: case study in extracting information on fundamental interactions from CN processes Edward

Oklo: case study in extracting information on fundamental interactions from CN processes Edward

Oklo: case study in extracting information on fundamental interactions from CN processes Edward Davis edward.davis@ku.edu.kw Kuwait University ACFI Workshop: Tests of Time-Reversal in Nuclear and Hadronic Processes (November 6 to 8,

691 views • 45 slides
Refining Network Intents for Self-Driving Networks Arthur Selle Jacobs Ricardo Jos

Refining Network Intents for Self-Driving Networks Arthur Selle Jacobs Ricardo Jos

Refining Network Intents for Self-Driving Networks Arthur Selle Jacobs Ricardo Jos Pfitscher, Ronaldo Alves Ferreira, Lisandro Zambenedetti Granville UFRGS UFMS Budapest, Hungary August 24, 2018 Self-Driving Networks High-level

874 views • 31 slides
Representing Huge Translation Models Statistical Machine Translation parallel text + alignment

Representing Huge Translation Models Statistical Machine Translation parallel text + alignment

Representing Huge Translation Models Statistical Machine Translation parallel text + alignment Statistical Machine Translation extract rules parallel text + alignment Statistical Machine Translation score extract rules rules parallel

1.27k views • 109 slides
Household data analytics Dagstuhl, February 2015 Christoph Doblander, Anwar Ul Haq, Christoph

Household data analytics Dagstuhl, February 2015 Christoph Doblander, Anwar Ul Haq, Christoph

Technische Universitt Mnchen Household data analytics Dagstuhl, February 2015 Christoph Doblander, Anwar Ul Haq, Christoph Goebel, H.-A. Jacobsen Technische Universitt Mnchen Institut fr Informatik, Lehrstuhl I13 Prof. Dr. H.-A.

462 views • 14 slides

More recommend