Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain - - PowerPoint PPT Presentation

practical techniques to obviate setuid to root binaries
SMART_READER_LITE
LIVE PREVIEW

Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain - - PowerPoint PPT Presentation

Jun 02, 2023 26 likes •616 views

Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

slide-1
SLIDE 1

Operating Systems, Security, Concurrency and Architecture Research 1

Practical Techniques to Obviate Setuid-to-Root Binaries

Bhushan Jain, Chia-Che Tsai, Jitin John, Donald Porter

OSCAR Lab Computer Science Department Stony Brook University

slide-2
SLIDE 2

2

Root

Setuid-root and Privilege Escalaiton

/bin/mount /dev/sda2 /disk1

Kernel

slide-3
SLIDE 3

3

/* Parse arguments */ sys_mount(args);

Root

Setuid-root and Privilege Escalaiton

/bin/mount /dev/sda2 /disk1

Kernel

slide-4
SLIDE 4

4

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ sys_mount(args);

Root

Setuid-root and Privilege Escalaiton

/bin/mount /dev/sda2 /disk1

Kernel

root has all capabilities

slide-5
SLIDE 5

5

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ sys_mount(args);

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User Kernel

user has no capabilities

slide-6
SLIDE 6

6

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ sys_mount(args);

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

Setuid to Root

Kernel

slide-7
SLIDE 7

7

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ sys_mount(args);

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

Setuid to Root

Kernel

slide-8
SLIDE 8

8

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ sys_mount(args);

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

/dev/cdrom /cdrom iso9660 user,ro 0 0

/etc/fstab

Setuid to Root

Kernel

slide-9
SLIDE 9

9

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ if(ruid == 0 || user_mount_ok(args)) sys_mount(args);

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

/dev/cdrom /cdrom iso9660 user,ro 0 0

/etc/fstab

Setuid to Root

Kernel

slide-10
SLIDE 10

10

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ if(ruid == 0 || user_mount_ok(args)) sys_mount(args);

/* Exploit Vulnerability */ fd=open(“rootkit.ko”) finit_module(fd);

rootkit.ko

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

/dev/cdrom /cdrom iso9660 user,ro 0 0

/etc/fstab

Setuid to Root

Kernel rootkit.ko

slide-11
SLIDE 11

11

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ if(ruid == 0 || user_mount_ok(args)) sys_mount(args);

/* Exploit Vulnerability */ fd=open(“rootkit.ko”) finit_module(fd);

rootkit.ko

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

/dev/cdrom /cdrom iso9660 user,ro 0 0

/etc/fstab

Setuid to Root

Kernel rootkit.ko

slide-12
SLIDE 12

12

sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } /* Parse arguments */ if(ruid == 0 || user_mount_ok(args)) sys_mount(args);

/* Exploit Vulnerability */ fd=open(“rootkit.ko”) finit_module(fd);

sys_finit_module() { if(!capable(CAP_SYS_MODULE)) return –EPERM; do_init_module(); }

rootkit.ko

/bin/mount /dev/cdrom /cdrom

Setuid-root and Privilege Escalaiton

User

/dev/cdrom /cdrom iso9660 user,ro 0 0

/etc/fstab

Setuid to Root

Kernel rootkit.ko

root has all capabilities

slide-13
SLIDE 13

13

20 40 60 80 100

10 20 30 40 50 60 70 80 90 100 110 120

Installation Percentage Setuid-to-Root Binaries

89%

How is Setuid-Root Used in Practice?

26

83 Binaries on <0.89% systems 26 Binaries on 89% systems

slide-14
SLIDE 14

14

  • Surprisingly feasible to obviate setuid-root
  • 10 underlying privileged abstractions
  • Protego prototype change 715 LoC in kernel
  • De-privileged 12,732 lines of trusted binary code
  • < 2% kernel compile time overhead over Linux 3.6.0
  • Ongoing investigation of long tail

Can we get rid of setuid-to-root?

~

slide-15
SLIDE 15

15

  • Background
  • Insights and design principles
  • Protego overview and examples
  • Evaluation

Outline

slide-16
SLIDE 16

16

  • Linux file POSIX capabilities
  • Not same as pointers with access control
  • Divide root privilege into 36 different capabilities
  • Enforce least privilege for administrator
  • Too coarse for untrusted user
  • Many privileged actions with just CAP_NET_ADMIN

Linux Capabilities

Need to think about least privilege for untrusted user

slide-17
SLIDE 17

17

  • Ubuntu/Fedora try to limit use of setuid-root
  • Privilege Bracketing, consolidation, fs permissions
  • Not able to completely eliminate setuid-root
  • Some binaries have point alternatives
  • SELinux enforces relatively fine-grained security
  • Still too liberal for least privilege of user
  • SELinux introduces substantial complexity

Efforts to Mitigate Setuid-Root Risks

slide-18
SLIDE 18

18

What can we do about setuid-root risk?

slide-19
SLIDE 19

19

20 40 60 80 100

10 20 30 40 50 60 70 80 90 100 110 120

Installation Percentage

Setuid-to-Root Binaries

  • Studied 28 in detail
  • Order by popularity
  • Study policies in binaries
  • Why is root needed?
  • Simpler alternative in kernel?
  • Goal: Non-admin never raises privilege

How do we approach this problem?

slide-20
SLIDE 20

20

  • Kernel policy mismatch with system policy
  • Kernel : only root can mount anywhere
  • System : any user can mount at safe locations
  • Point solutions used as duct tape
  • Setuid binary mount bridges the gap

Setuid-Root: Unix Security Duct Tape

Generally setuid patches kernel and system policies

slide-21
SLIDE 21

21

  • Interface design choice may need more privilege
  • dmcrypt-get-device use privileged ioctl
  • Reports physical device under encrypted device
  • Also discloses the private key
  • Can get same info from /sys without privilege
  • Maintainers agreed to use /sys interface.

Interface Designs can Thwart Least Privilege

Sometimes setuid indicates programmer error

slide-22
SLIDE 22

22

Protego Design

  • No need for trusted apps to enforce system policy
  • Inform kernel about system policy
  • Enforce system policy using Linux Security Module
  • Policies orthogonal to AppArmor, SELinux, etc.
  • Object-based policies for unprivileged users
  • Adjust the interfaces that need more privilege
  • Maintain backwards compatibility for user
slide-23
SLIDE 23

23

Privileged Interface Used by What do we do? mount, umount 3 Whitelist safe locations and options socket (ping) 5 Apply firewall rules on raw sockets Credential databases (passwd) 5 Fragment to per-user or pergroup files, matching DAC granularity. ioctl (pppd) 2 Add LSM hooks to verify new routes bind (mail) 3 Map low port to (binary, userid) pair setuid, setgid (sudo) 7 Delegation Framework: LSM hooks to check delegation rules & recency Video driver control state (X) 1 Kernel Mode Switching: Context switches video devices in the kernel /dev/pts* terminal slaves (pt_chown) 1 Deprecated since kernel 2.1 Host private ssh key (ssh-keysign) 1 Restrict file access to specific binaries

System Abstractions for Setuid Binaries

A few abstractions, many binaries

slide-24
SLIDE 24

24

Example 1: Protego mount

Root

Protego LSM

This technique works for 3/28 setuid-root binaries Kernel

slide-25
SLIDE 25

25

Example 1: Protego mount

Root

Protego LSM

This technique works for 3/28 setuid-root binaries Kernel

/etc/fstab

slide-26
SLIDE 26

26

Example 1: Protego mount

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0

Protego LSM

This technique works for 3/28 setuid-root binaries Kernel

/etc/fstab

slide-27
SLIDE 27

27

Example 1: Protego mount

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-28
SLIDE 28

28

Example 1: Protego mount

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

/proc/ mnt_policy

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-29
SLIDE 29

29

Example 1: Protego mount

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

/proc/ mnt_policy

Unprivileged user

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-30
SLIDE 30

30

Example 1: Protego mount

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

mount /dev/cdrom /cdrom /proc/ mnt_policy

Unprivileged user

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-31
SLIDE 31

31

Example 1: Protego mount

sys_mount(args);

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

mount /dev/cdrom /cdrom /proc/ mnt_policy

Unprivileged user

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-32
SLIDE 32

32

Example 1: Protego mount

sys_mount(args); sys_mount() { if(!security_mount_ok(args)) return -EPERM; do_mount(args); }

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

mount /dev/cdrom /cdrom /proc/ mnt_policy

Unprivileged user

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-33
SLIDE 33

33

Example 1: Protego mount

sys_mount(args); sys_mount() { if(!security_mount_ok(args)) return -EPERM; do_mount(args); }

Root

/dev/cdrom /cdrom iso9660 user,ro 0 0 /*Parse /etc/fstab*/

Protego LSM

mount /dev/cdrom /cdrom /proc/ mnt_policy

Unprivileged user

This technique works for 3/28 setuid-root binaries

Privileged Daemon

Kernel

/etc/fstab

slide-34
SLIDE 34

34

  • Setuid bit is user/subject-based mechanism
  • “Does the user have privilege to take this action?”
  • E.g., Who can mount a device?
  • Object-based security policies are better fit
  • “Can any user take an action on this object?”
  • E.g., Which device can be safely mounted and where?

Underlying Problem with Setuid-bit

slide-35
SLIDE 35

35

  • Raw socket : unimplemented protocols in kernel
  • TCP/UDP packets can be faked by raw sockets
  • Appear from socket owned by another process
  • Kernel : CAP_NET_RAW to create raw socket
  • System : Allow sending safe packets on raw socket
  • ping uses raw sockets for ICMP packets

Example 2: Linux ping

slide-36
SLIDE 36

36

  • Allow raw socket creation for all users
  • Whitelist set of all safe packets on raw sockets
  • Use packet filtering framework (netfilter/BPF)
  • Limit raw socket protocol and message types
  • For ping, allow ICMP echo request and reply

Example 2: Protego ping

This technique works for 5/28 setuid-root binaries

slide-37
SLIDE 37

37

  • Central credential databases
  • /etc/passwd, /etc/group, /etc/shadow
  • All owned and modified by root
  • Current : only root can modify credentials
  • System : every user should modify own credential
  • Setuid-root passwd enforces this policy

Example 3: Linux passwd

slide-38
SLIDE 38

38

  • Access control at record granularity
  • Not entire database
  • Split shared database into per-account files
  • /etc/passwd  per-user file under /etc/passwds
  • drwxr-xr-x root root /etc/passwds
  • -rw------- bjain group /etc/passwds/bjain
  • Backwards compatibilty: update /etc/passwd
  • Trusted daemon monitors /etc/passwds/* files

Example 3: Protego passwd

This technique works for 5/28 setuid-root binaries

slide-39
SLIDE 39

39

  • How is overall system security affected?
  • Is Protego functionally identical to Linux?
  • What is cost for unprivileged applications?
  • Test machine : Linux 3.6, 4-core 3.40 GHz Intel

Core i7 CPU, 4GB memory and a 250GB, 7200 RPM SATA disk

  • How to deprivilege the remaining 91 binaries?

Evaluation

slide-40
SLIDE 40

40

Changed LoC in Protego = 2,598    

Protego’s Addition to TCB

slide-41
SLIDE 41

41

Changed LoC in Protego = 2,598

  • Untrusted Utilities

= 108

  • Trusted Services

= 1,600

  • Kernel

= 715 

Protego’s Addition to TCB

slide-42
SLIDE 42

42

Changed LoC in Protego = 2,598

  • Untrusted Utilities

= 108

  • Trusted Services

= 1,600

  • Kernel

= 715

  • LSM

= 200

  • Other

= 515 

Protego’s Addition to TCB

slide-43
SLIDE 43

43

Changed LoC in Protego = 2,598

  • Untrusted Utilities

= 108

  • Trusted Services

= 1,600

  • Kernel

= 715

  • LSM

= 200

  • Other

= 515 Total Addition to TCB = 2,315

Protego’s Addition to TCB

slide-44
SLIDE 44

44

Changed LoC in Protego = 2,598

  • Untrusted Utilities

= 108

  • Trusted Services

= 1,600

  • Kernel

= 715

  • LSM

= 200

  • Other

= 515 Total Addition to TCB = 2,315

Protego’s Addition to TCB

Changes are small enough to be easily audited

slide-45
SLIDE 45

45

De-privileged LoC by Protego = 15,047 Total Addition to TCB by Protego = 2,315 Net LoC de-privileged = 12,732

Overall Security of Protego

Protego reduces TCB by more than 12K LoC

slide-46
SLIDE 46

46

  • Manual tests for Linux functional equivalence
  • Automate command-line utilities using gcov

Functional Equivalence

20 40 60 80 100 % LOC Coverage

Gcov results

slide-47
SLIDE 47

47

Micro-Benchmarks

1 2 3 4 5 6 7 8 9 10

% Execution Time Overhead

  • ver Linux 3.6.0

Micro-benchmark overheads

Protego

slide-48
SLIDE 48

48

Micro-Benchmarks

1 2 3 4 5 6 7 8 9 10

% Execution Time Overhead

  • ver Linux 3.6.0

Micro-benchmark overheads

Protego

0% overhead

  • n basic Linux
  • perations

~

slide-49
SLIDE 49

49

Micro-Benchmarks

1 2 3 4 5 6 7 8 9 10

% Execution Time Overhead

  • ver Linux 3.6.0

Micro-benchmark overheads

Protego

0% overhead

  • n basic Linux
  • perations

< 7.4%

  • verhead

in worst case ~

slide-50
SLIDE 50

50

Micro-Benchmarks

1 2 3 4 5 6 7 8 9 10

% Execution Time Overhead

  • ver Linux 3.6.0

Micro-benchmark overheads

Protego

0% overhead

  • n basic Linux
  • perations

< 7.4%

  • verhead

in worst case < 2.5% overhead in changed system calls ~

slide-51
SLIDE 51

51

Macro-Benchmark Applications

1 2 3 4 5 6 7 8 9 10 Postal Mail server (Min/msg) Kernel Compile ApacheBench 100 conc. req

% Execution Time Overhead

  • ver Linux 3.6.0

Macro-benchmark overheads

slide-52
SLIDE 52

52

Macro-Benchmark Applications

1 2 3 4 5 6 7 8 9 10 Postal Mail server (Min/msg) Kernel Compile ApacheBench 100 conc. req

% Execution Time Overhead

  • ver Linux 3.6.0

Macro-benchmark overheads

0% overhead for bind privilege ~

slide-53
SLIDE 53

53

Macro-Benchmark Applications

1 2 3 4 5 6 7 8 9 10 Postal Mail server (Min/msg) Kernel Compile ApacheBench 100 conc. req

% Execution Time Overhead

  • ver Linux 3.6.0

Macro-benchmark overheads

0% overhead for bind privilege 2-4% overhead for unprivileged applications ~

slide-54
SLIDE 54

54

20 40 60 80 100 20 40 60 80 100 120

Installation Percentage

 

Toward Zero Setuid-To-Root Binaries

slide-55
SLIDE 55

55

20 40 60 80 100 20 40 60 80 100 120

Installation Percentage

 

Toward Zero Setuid-To-Root Binaries

91 Binaries on < 10% systems

slide-56
SLIDE 56

56

20 40 60 80 100 20 40 60 80 100 120

Installation Percentage

 

Toward Zero Setuid-To-Root Binaries

91 Binaries on < 10% systems 77 Binaries use Protego Interfaces

slide-57
SLIDE 57

57

20 40 60 80 100 20 40 60 80 100 120

Installation Percentage

  • 6 use namespaces that are not privileged since 3.8
  • 3 reboot system, load kernel modules, or configure

network

  • May use delegation framework in Protego
  • 5 VirtualBox binaries access custom kernel module
  • Requires additional work to identify a sensible policy

Toward Zero Setuid-To-Root Binaries

91 Binaries on < 10% systems 77 Binaries use Protego Interfaces

slide-58
SLIDE 58

58

  • New kernel abstractions may need setuid-to-root
  • Until we precisely understand safe function subsets
  • Kernel namespaces needed root from 2.6.23 to 3.8
  • Incrementally deployed
  • Software with companion kernel modules
  • Setuid-root as security blanket

Caveats

slide-59
SLIDE 59

59

  • Setuid: Duct tape between kernel & system policy
  • Instead, enforce system policies in the kernel
  • Protego shows feasibility of eliminating suid-root
  • Same functionality, low overhead, compatible w/ LSM
  • New applications should justify need for setuid

Conclusions

bpjain@cs.stonybrook.edu http://protego.cs.stonybrook.edu

Operating Systems, Security, Concurrency and Architecture Research