making linux protection mechanisms egalitarian with userfs
play

Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo - PowerPoint PPT Presentation

Sep 14, 2022 •20 likes •600 views

Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich MIT CSAIL Overview: How to build secure applications? Simple in principle : - reduce privileges of application components - enforce policy at

  1. Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich MIT CSAIL

  2. Overview: How to build secure applications? ● Simple in principle : - reduce privileges of application components - enforce policy at lower level (e.g. OS kernel) ● Difficult in practice (unless root user): - cannot create new principals - cannot reduce privileges

  3. This Talk: How to help programmers to reduce privileges and enforce security policy in Linux? by allocating and managing UIDs

  4. Today’s Unix-like OS ● UID is not a real user’s identity anymore (instead, also use UID as a protection principal ) i.e. nobody, www-data, wheelfs, etc. ● Existing protection mechanisms are using UID as a security principal i.e. filesystem permission

  5. Running example: DokuWiki

  6. Example: Security model of DokuWiki ● PHP based Wiki ● Run as a single UID ● Main features 1) Wiki users 2) Saving each page as a file 3) ACL on each page

  7. Example: Run DokuWiki php <UID: www-data >

  8. Example: Alice write to the page1 php <UID: www-data > alice open() write to page1 /doku/conf/ acl.php <UID: www-data > ACL of DokuWiki Pages /doku/pages/ page1 Alice : r/w Bob :r/- /doku/pages/ page2 Alice: r /- Bob : r/w

  9. Example: Alice write to the page1 php <UID: www-data > alice open() write to page1 /doku/conf/ acl.php <UID: www-data > write() /doku/pages/ page1 <UID: www-data >

  10. Example: Bob write to the page1 php <UID: www-data > bob open() write to page1 /doku/conf/ acl.php <UID: www-data > ACL of DokuWiki Pages /doku/pages/ page1 Alice : r/w Bob :r/- /doku/pages/ page2 Alice: r /- Bob : r/w

  11. Example: Bob write to the page1 php <UID: www-data > bob open() write to page1 /doku/conf/ acl.php <UID: www-data > failed to write

  12. Example: Vulnerability when checking ACL php <UID: www-data > bob open() write to page1 /doku/conf/ acl.php <UID: www-data > write() failed to write /doku/pages/ page1 <UID: www-data >

  13. Example: Vulnerability when checking ACL php The ACL check happens 40 times <UID: www-data > bob in DokuWiki’s code: New, potentially-buggy code in every app. open() write to page1 /doku/conf/ acl.php <UID: www-data > write() failed to write /doku/pages/ page1 <UID: www-data > CVE-2010-0288 : Insufficient Permission Check

  14. Strawman : Running php with different UID php <UID: wiki-alice > alice write() /doku/pages/ page1 write to page1 < wiki-alice=r/w ,others=r/-> php <UID: wiki-bob > bob write() /doku/pages/ page1 write to page1 <wiki-alice=r/w , others=r/- >

  15. Problem: Privilege separation is difficult in Unix ● Applications cannot - allocate new UIDs (e.g. adduser) - switch current UID (e.g. setuid) without root privilege ● Ironically , To reduce privilege, it requires root privilege ● Running DokuWiki as root is a security disaster

  16. Problem: Privilege separation is difficult in Unix Unix-like OS DokuWiki root root DokuWiki alice bob doku-wiki taesoo PHP PHP doku-alice doku-bob firefox PHP PHP

  17. Goal of this work Allowing any application to use these protection mechanisms without root privilege ● create a new principal ● reuse existing protection mechanisms ● use chroot and firewall mechanisms

  18. Outline ● Overview ● Design ● Example ● Implementation ● Evaluation ● Limitation ● Related work ● Conclusion

  19. Design: UID allocation ● Strawman : pick a previously unused UID ● Challenges ● who can call setuid()? ● How to reuse UIDs? ● How to make UIDs persistent ?

  20. Challenge: Who can call setuid()? ● Current Linux ● Root can switch to any UID with setuid() ● Non-root cannot switch to new UID with setuid() ● Ideal system requirements ● Need to represent privilege of each UID ● Need to specify who can access each UID ● Need to pass privilege between processes

  21. Key Idea: UserFS ● Maintaining UIDs as files in /proc-like filesystem ● Representing Privileges - each UID is represented by a file ● Delegating Privileges - change permissions on the file - send the file descriptor via FD passing ● Accountability - track allocated UIDs of each user in a directory

  22. Representing UIDs

  23. Representing UIDs mount UserFS at /userfs

  24. Representing UIDs represent UID number as a directory

  25. Representing UIDs “ctl file” to represent a privilege of each UID

  26. Representing Privileges ● Each UID has only one ctl file ● Any process having the file descriptor of the ctl - can change current UID e.g. setuid() - can pass it through Unix domain socket e.g. send() - can deallocate UID by deleting the ctl file e.g. unlink()

  27. Challenge: How to reuse UIDs? ● Ideally, unique ID to every principal ● Problem : - Linux use 32-bit UID - Reuse previously allocated UID ● Solution : - Introduce 64-bit #gen - Use #gen to detect unwanted UID reuse

  28. Challenge : How to make UIDs persistent ? ● For each UID, keep track of: - #gen - permissions of ctl file - creator’s UID in persistent database

  29. Managing UIDs File system UserFS Add a file Allocate a UID Delete a file Deallocate a UID Open a file Gain the privilege of UID Change permission Delegate a privilege

  30. Example: Using a Ufile fd= open ( /userfs/1000/ctl ) 1) Setuid ioctl (fd, IOCTL_SETUID ) 2) UID Allocation ioctl (fd, IOCTL_ALLOC , 2000 ) 3) Privilege Delegation sendmsg (receiver-socket, fd )

  31. Outline ● Overview ● Design ● Example ● Implementation ● Evaluation ● Limitation ● Related work ● Conclusion

  32. Example: Security model of UserFS-aware DokuWiki Key idea : Allocate UID for each Wiki user! - Authenticate users with non-root daemon - Use UID Sandboxing - Reuse well-tested ACL of filesystem

  33. Example: Authenticating users with non-root daemon ● Allocate new doku-admin UID (Wiki admin) ● When a new user signs up - doku-admin will allocate a UID for the user - doku-admin will gain read permission on ctl file ● When a user logs in - login-mgr (setuid to doku-admin ) check id/passwd - open the ctl file of the Wiki user - send it through Unix domain socket

  34. Example: Servicing DokuWiki with anonymous UID httpd php <UID: httpd > <UID: anony. > URL fork/exec DokuWiki

  35. Example: Authenticating users with non-root daemon php <UID: anony. > alice (ID/PASS)

  36. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS)

  37. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/ passwd open() <doku-admin:r/-> fd=open() /userfs/501/ ctl <doku-admin:r/->

  38. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/ passwd open() <doku-admin:r/-> fd=open() /userfs/501/ ctl send(fd) <doku-admin:r/-> ctl file

  39. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> setuid(fd) php ctl file <UID: doku-alice >

  40. Example: UID Sandboxing ● Initially, launch PHP with anonymous UID ● After a Wiki user logins change UID of PHP to Wiki user’s UID - login-mgr will send the file descriptor of ctl file - receive the file descriptor of the Wiki user - call setuid() with the received file descriptor

  41. Example: UID Sandboxing login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> php ctl file <UID: doku-alice >

  42. Example: UID Sandboxing login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> php ctl file <UID: doku-alice >

  43. Example: UID Sandboxing login-mgr php <UID: doku-admin > <UID: anony. > ? 100 LoC! alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> php ctl file <UID: doku-alice >

  44. Example: Reusing well-tested ACL of filesystem ● Save each Wiki page as a file with owner’s UID ● Align ACL of Wiki page to the file permission ● OS will enforce security policy

  45. Example: Reusing well-tested ACL of filesystem php <UID: doku-alice >

  46. Example: Reusing well-tested ACL of filesystem php <UID: doku-alice > write page1 /doku/pages/ page1 < doku-alice :r/w>

  47. Example: Reusing well-tested ACL of filesystem php <UID: doku-alice > write page1 /doku/pages/page1 < doku-alice :r/w> write page2 /doku/pages/ page2 < doku-alice :r/-> Bug on checking ACL? CVE-2010-0288: Insufficient Permission Check

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

The Automotive Network Threats Protection mechanisms Conclusion Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan Studnia Vincent Nicomette Eric Alata Yves Deswarte Mohamed Ka aniche Renault

752 views • 40 slides
Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees

Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees

Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/danger.pdf Agenda Background Kernel Self Protection Project

493 views • 25 slides
Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with

Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with

Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with Jeremiah Blocki, Nicolas Christin and Arunesh Sinha Carnegie Mellon University Position } Audit mechanisms are essential for privacy protection

337 views • 7 slides
Resource Allocation in Egalitarian Agent Societies Ulle Endriss 1 , Nicolas Maudet 2 , Fariba

Resource Allocation in Egalitarian Agent Societies Ulle Endriss 1 , Nicolas Maudet 2 , Fariba

Resource Allocation in Egalitarian Agent Societies MFI-2003 Resource Allocation in Egalitarian Agent Societies Ulle Endriss 1 , Nicolas Maudet 2 , Fariba Sadri 1 and Francesca Toni 1 1 Department of Computing, Imperial College London Email: {

610 views • 15 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
3/25/16 Decision Making Finances: Save money or spend it? The Neural Mechanisms of

3/25/16 Decision Making Finances: Save money or spend it? The Neural Mechanisms of

3/25/16 Decision Making Finances: Save money or spend it? The Neural Mechanisms of Eating: Indulge in a second Risky Decision Making dessert? Medical: Medication with side effects? Rebecca Weldon Underage drinking:

103 views • 9 slides
LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

Professor Ken Birman LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY Firewalls Memory Protection Type Checking as a Protection Tool VMs and Containers Intel SGX Security CORNELL CS4414 -

595 views • 43 slides
Barcelona Geographical situation Egalitarian City design BCN : 1.604.555 hab (16.716 hab /km 2 )

Barcelona Geographical situation Egalitarian City design BCN : 1.604.555 hab (16.716 hab /km 2 )

Cristina Junyent Barcelona Geographical situation Egalitarian City design BCN : 1.604.555 hab (16.716 hab /km 2 ) AMB : 5.029.181 hab (15.267 hab /km 2 TRAFFIC 200,000 people come daily 78% by car + 22% by bus Get rid one of five cars

353 views • 7 slides
BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR) Linux Debugging Challenges: Default debugger is intimidating to new users Tough to get symbols and source to show up Many tricks needed

544 views • 40 slides
Making Linux do Hard (Real-) Time Hard Time Linux 1 of 21 MBARI The Monterey Bay Aquarium

Making Linux do Hard (Real-) Time Hard Time Linux 1 of 21 MBARI The Monterey Bay Aquarium

Hard Time Making Linux do Hard (Real-) Time Hard Time Linux 1 of 21 MBARI The Monterey Bay Aquarium Research Institute is a Non-Pro fi t Research Center Founded in 1987 by Packard Foundation Furthering marine research through the peer e ff orts

500 views • 21 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid

Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid

Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid Suspension and Post Delegation Dispute Resolution Procedure October2009 DevelopmentofRightsProtec4onMechanisms

450 views • 19 slides
Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An

Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An

Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An Overview Presented by Dr. Mark D. Griffith at the The Caribbean Workshop on Sustainable Finance and Resource Mobilization for Biodiversity,

539 views • 19 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous

More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous

Transforming Science Through Data-driven Discovery More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous work shows how to proxy iRODS for high availability. High Availability iRODS System (HAIRS)

424 views • 19 slides
LaSEWeb : Automating Search Strategies over Semi-Structured Web Data Oleksandr Polozov Sumit

LaSEWeb : Automating Search Strategies over Semi-Structured Web Data Oleksandr Polozov Sumit

LaSEWeb : Automating Search Strategies over Semi-Structured Web Data Oleksandr Polozov Sumit Gulwani University of Washington Microsoft Research polozov@cs.washington.edu sumitg@microsoft.com KDD 2014 August 27, 2014 Motivation: search

478 views • 25 slides
Gaussian Mixture Latent Vector Grammars Yanpeng Zhao Liwen Zhang Kewei Tu School of

Gaussian Mixture Latent Vector Grammars Yanpeng Zhao Liwen Zhang Kewei Tu School of

Gaussian Mixture Latent Vector Grammars Yanpeng Zhao Liwen Zhang Kewei Tu School of Information Science and Technology ShanghaiTech University ACL 2018 PCFG Parsing &amp; Limitations Constituency Parsing Grammars Prob.

422 views • 29 slides
ZooKeeper Wait-free coordination for Internet-scale systems Patrick Hunt and Mahadev (Yahoo!

ZooKeeper Wait-free coordination for Internet-scale systems Patrick Hunt and Mahadev (Yahoo!

ZooKeeper Wait-free coordination for Internet-scale systems Patrick Hunt and Mahadev (Yahoo! Grid) Flavio Junqueira and Benjamin Reed (Yahoo! Research) Internet-scale Challenges Lots of servers, users, data FLP, CAP Mere mortal

271 views • 24 slides
Advertisement for ACL Workshops Workshop on Narrative Understanding, Workshop on Neural

Advertisement for ACL Workshops Workshop on Narrative Understanding, Workshop on Neural

Advertisement for ACL Workshops Workshop on Narrative Understanding, Workshop on Neural Generation and Storylines, and Events (NUSE) Translation We solicit papers related to narrative Topics of interest include neural models for understanding

688 views • 29 slides
Lillian Lee, Cornell University http://www.cs.cornell.edu/home/llee The one equation in this talk

Lillian Lee, Cornell University http://www.cs.cornell.edu/home/llee The one equation in this talk

Big data pragmatics! or Putting the ACL in computational social science or If you think these title alternatives could turn people on, turn people off, or otherwise have an effect, this talk might be for you. Lillian

604 views • 36 slides
CompSci514/ECE558: Computer Networks Lecture 17: Programmable Switches Xiaowei Yang

CompSci514/ECE558: Computer Networks Lecture 17: Programmable Switches Xiaowei Yang

CompSci514/ECE558: Computer Networks Lecture 17: Programmable Switches Xiaowei Yang xwy@cs.duke.edu http://www.cs.duke.edu/~xwy Some slides are adapted from Prof Nick McKeowns lecture slides Overview The Trio of modern networking

803 views • 54 slides
Lean in Lean Leonardo de Moura - MSR - USA Workshop Lean Programming Language Goals

Lean in Lean Leonardo de Moura - MSR - USA Workshop Lean Programming Language Goals

Programming Language http://leanprover.github.io Lean in Lean Leonardo de Moura - MSR - USA Workshop Lean Programming Language Goals Extensibility, Expressivity, Scalability, Proof stability Functional Programming (e ffi ciency)

1.13k views • 54 slides

More recommend