PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok Jeon Junghwan Rhee Chung Hwan Kim Zhichun Li Mathias Payer Byoungyoung Lee Zhenyu Wu
Outline ● Motivation ● Background ● PoLPer ● Evaluation ● Conclusion 2
Motivation ● Setuid calls – Manage privileges – Key function for the principle of least privilege (PoLP) – Active target of attack Privilege App Kernel setuid setuid r = setuid(0) Shell code, ROP attack, Non-control data attack 3
Motivation ● Previous solutions still have limitation Approaches Limitations CFI Data modification attack detection DFI High overhead System call Over approximated rule context check (only handle call and data contexts) Setuid semantic Control flow hijacking and data Inconsistency modification attack detection check CFI: control flow integrity DFI: data flow integrity 4
Outline ● Motivation ● Background ● PoLPer ● Evaluation ● Conclusion 5
Principle of Least Privilege (PoLP) ● Require minimal privileges – Minimized attack surface – Limited malware propagation – Better stability ● Login programs and daemon launchers – Switch their IDs from root to the user ID – Setuid calls are used for this change of IDs 6
Setuid Family System Calls Use three user IDs as parameters – Real user ID (real uid, or ruid) – Effective user ID (effective uid, or euid) – Saved user ID (saved uid, or suid) User ID setuid() seteuid() setreuid() setresuid() (4 types) Group ID setgid() setegid() setregid() setresgid() (4 types) 7
Outline ● Motivation ● Background ● PoLPer ● Evaluation ● Conclusion 8
PoLPer ● Focus on process contexts of a setuid call – Extracts accurate context information – Enforces precise least privileges ● We propose PoLPer – Identifies important process contexts – Implements automated context extractor – Implements run-time enforcer 9
PoLPer Overview Context Analyzer Static Static Process hierarchy Analysis Analysis Process Process Contexts Contexts Call Setuid(0) Dynamic Dynamic Stack App Analysis Analysis Binary App Context Enforcer Context Success Process hierarchy Allowed Enforcer Process Process Denied setuid setuid Call Setuid(0) Contexts Contexts Stack Failure Logged Binary App Kernel 10
Process Hierarchy Context ● Leverage different units of execution to decompose functionalities. P1 P1 Depth 0 (Root) P1 P1 P1 Depth 1 Program P1 P1 P1 P1 P1 Depth 2 11
Process Hierarchy Context SUDO SSHD s t a t i c c h a r * s u d o _ a s k p a s s ( ) { p i d _ t s u b p r o c e s s ( ) { s t a t i c c h a r b u f [ S U D O _ M A X ] ; F I L E * f ; . . . . . . s w i t c h ( ( p i d = f o r k ( ) ) ) { i f ( ( p i d = f o r k ( ) ) = = - 1 ) … i f ( p i d = = 0 ) { c a s e 0 : . . . . . . I f ( ) i f ( s e t r e s g i d ( p w - > p w _ g i d , … ) ) s e t g i d ( u _ d e t a i l s . g i d ) { . . . } { . . . } i f ( s e t r e s u i d ( p w - > p w _ u i d , … ) ) i fj ( s e t u i d ( u _ d e t a i l s . u i d ) ) { . . . } { . . . } . . . . . . e x e c v e ( a v [ 0 ] , . . . ) ; e x e c l ( a s k p a s s , . . . ) ; _ e x i t ( 1 2 7 ) ; . . . . . . } d e f a u l t : . . . b r e a k ; ( v o i d ) s i g a c t i o n ( S I G P I P E , & s a , . . . ) ; } ● Only child process can access setuid calls 12
Process Data Context ● Need to handle various parameter setting patterns Functjon Main i n t K = 1 0 0 0 ; i n t K = 1 0 0 0 ; i n t K = 1 0 0 0 ; A ( K ) ; i f ( c o n d ) Function A(K) K = 1 0 0 ; s e t u i d ( 1 0 0 ) ; K = 2 0 0 ; e l s e s e t u i d ( K ) ; B ( K ) ; K = 2 0 0 ; Function B(K) s e t u i d ( K ) ; s e t u i d ( K ) ; Case (1) (2) (3) (4) Type Constant Variable Variable Variable Value 100 1000 100, 200 200 ● Use backward data-flow analysis ● Record together with the process hierarchy context 13
Process Call Context ● Identify code location to identify setuid call ● Dynamic analysis for high accuracy call context ● Record together with the process hierarchy context 14
Run-time Enforcement ● Use Kprobes, a kernel-based probing mechanism – Hooks on the entry points of setuid calls – Extracts process hierarchy, data, and call contexts – Compares with the profile that was previously extracted Run-time Enforcer Extract Compare Call 010100010100 Call Hook Context Allowed 100101011110 Context Extraction Extraction Data Data Checker Checker 101011011010 setuid of Process setuid of Process Context Context Process Process 0101011 Context Denied Context Checker Checker Hierarchy Hierarchy Context Context Binary App Kernel 15
Outline ● Motivation ● Background ● PoLPer ● Evaluation ● Conclusion 16
More Accurate Rule Generation Process Process hierarchy hierarchy Programs Rule cut (%) context context disabled enabled Ping 1 1 0 Sudo 352 196 44 Xterm 576 296 49 Cron 2 2 0 Telnet 4 4 0 Telnet-Login 6 3 50 Login 4 2 50 SSH & SCP 182 88 52 WireShark 2 2 0 Apache 2 2 0 Nginx 2 2 0 17
Micro-benchmark 90 Data context count 1 80 Data context count 2 Verification time (µs) 70 Data context count 5 60 Data context count 10 50 40 30 20 10 0 1 4 16 64 128 192 256 512 1024 Call context number 18
End-to-end Benchmarks ● Show near zero overhead Setuid Overhead Programs Base (s) PoLPer (s) call (%) (#) Ping 9.0019 9.0039 1 0.02 Nginx 11.522 11.539 0 0.14 Apache 18.250 18.286 0 0.1 Telnet 1.001 1.004 6 0.29 SCP 0.1656 0.1665 28 0.54 19
Real-world Exploits Detected Setuid Exploit Exploit Vul. Program Syscall Pattern Name (EDB) PoLPer CFI NCI Exploited Sudo (N/A) setuid √ X √ Modify Setuid Parameters Wu_ftpd (N/A) seteuid √ X √ setresuid, 37292-2015 √ √ X setresgid Overlayfs 39230-2016 setresuid √ √ X Glibc 209-2000 setuid, setgid √ √ X Mkdir 20554-2001 setuid, setgid √ √ X Run setuid call to creat a root KApplication 19981-2000 setuid, setregid √ √ X shell Suid_dumpable 2006-2006 setuid, setgid √ √ X Execve/ptrace 20720-2001 setuid √ √ X Splitvt 20013-2000 setuid √ √ X OpernMovieeditor 2338-2006 setuid,setgid √ √ X CFI: control flow integrity NCI: non-control data integrity 20
Case Study: Sudo Depth 1 s t r u c t u s e r { Priv. Op. setuid u i d _ t u i d ; (Profile) uid = getuid() Parameter . . . (exploit) 0 } ; # Offset File Function 0x32 + s t r u c t u s e r u d ; 21 0xb75f7b4 ../libc.so.6 - 4 u d . u i d = g e t u i d ( ) ; Call Stack 20 0x8053080 ../bin/sudo sudo_askpass / / i n s u d o _ d e b u g ( ) ... v f p r i n t f ( . . . ) ; 1 0x8049dd1 ../bin/sudo - / / i n s u d o _ a s k p a s s ( ) s e t u i d ( u d . u i d ) ; Sudo code example 21
Outline ● Motivation ● Background ● PoLPer ● Evaluation ● Conclusion 22
Conclusion ● Extracts only the required contexts of setuid calls ● Prevents setuid exploits with negligible overhead ● Enforces PoLP using a combination of different process contexts 23
THANK YOU! Q&A 24
Recommend
More recommend
