practical techniques to obviate setuid to root binaries
play

Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain - PowerPoint PPT Presentation

Jun 02, 2023 •26 likes •616 views

Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

  1. Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

  2. Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 Root Kernel 2

  3. Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 /* Parse arguments */ sys_mount(args); Root Kernel 3

  4. Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 /* Parse arguments */ sys_mount(args); root has all Root capabilities Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 4

  5. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ sys_mount(args); user has no User capabilities Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 5

  6. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ Setuid to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 6

  7. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ Setuid to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 7

  8. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 to Root /etc/fstab sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 8

  9. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 if(ruid == 0 || to Root /etc/fstab user_mount_ok(args)) sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 9

  10. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 /* Exploit if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd =open(“ rootkit.ko ”) sys_mount(args); finit_module(fd); rootkit.ko rootkit.ko User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 10

  11. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 /* Exploit if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd =open(“ rootkit.ko ”) sys_mount(args); finit_module(fd); rootkit.ko rootkit.ko User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 11

  12. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 /* Exploit if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd =open(“ rootkit.ko ”) sys_mount(args); finit_module(fd); rootkit.ko root has all User capabilities sys_finit_module() { Kernel sys_mount() { if(!capable(CAP_SYS_MODULE)) if(!capable(CAP_SYS_ADMIN)) return – EPERM; return – EPERM; rootkit.ko do_mount(); } do_init_module(); } 12

  13. How is Setuid-Root Used in Practice? Installation Percentage 100 80 26 Binaries on 89% systems 60 89% 40 83 Binaries on <0.89% systems 20 0 26 0 10 20 30 40 50 60 70 80 90 100 110 120 Setuid-to-Root Binaries 13

  14. Can we get rid of setuid-to-root?  Surprisingly feasible to obviate setuid-root  10 underlying privileged abstractions ~  Protego prototype change 715 LoC in kernel  De-privileged 12,732 lines of trusted binary code  < 2% kernel compile time overhead over Linux 3.6.0  Ongoing investigation of long tail 14

  15. Outline  Background  Insights and design principles  Protego overview and examples  Evaluation 15

  16. Linux Capabilities  Linux file POSIX capabilities  Not same as pointers with access control  Divide root privilege into 36 different capabilities  Enforce least privilege for administrator  Too coarse for untrusted user  Many privileged actions with just CAP_NET_ADMIN Need to think about least privilege for untrusted user 16

  17. Efforts to Mitigate Setuid-Root Risks  Ubuntu/Fedora try to limit use of setuid-root  Privilege Bracketing, consolidation, fs permissions  Not able to completely eliminate setuid-root  Some binaries have point alternatives  SELinux enforces relatively fine-grained security  Still too liberal for least privilege of user  SELinux introduces substantial complexity 17

  18. What can we do about setuid-root risk? 18

  19. How do we approach this problem? Installation Percentage  Studied 28 in detail 100 80  Order by popularity 60 40  Study policies in binaries 20 0  Why is root needed? 0 10 20 30 40 50 60 70 80 90 100 110 120  Simpler alternative in kernel? Setuid-to-Root Binaries  Goal: Non-admin never raises privilege 19

  20. Setuid-Root: Unix Security Duct Tape  Kernel policy mismatch with system policy  Kernel : only root can mount anywhere  System : any user can mount at safe locations  Point solutions used as duct tape  Setuid binary mount bridges the gap Generally setuid patches kernel and system policies 20

  21. Interface Designs can Thwart Least Privilege  Interface design choice may need more privilege  dmcrypt-get-device use privileged ioctl  Reports physical device under encrypted device  Also discloses the private key  Can get same info from /sys without privilege  Maintainers agreed to use /sys interface. Sometimes setuid indicates programmer error 21

  22. Protego Design  No need for trusted apps to enforce system policy  Inform kernel about system policy  Enforce system policy using Linux Security Module  Policies orthogonal to AppArmor, SELinux, etc.  Object-based policies for unprivileged users  Adjust the interfaces that need more privilege  Maintain backwards compatibility for user 22

  23. System Abstractions for Setuid Binaries Privileged Interface Used by What do we do? mount , umount 3 Whitelist safe locations and options socket ( ping ) 5 Apply firewall rules on raw sockets Credential databases ( passwd ) 5 Fragment to per-user or pergroup files, matching DAC granularity. ioctl ( pppd ) 2 Add LSM hooks to verify new routes bind ( mail ) 3 Map low port to (binary, userid) pair setuid, setgid ( sudo ) 7 Delegation Framework : LSM hooks to check delegation rules & recency Video driver control state ( X ) 1 Kernel Mode Switching : Context switches video devices in the kernel /dev/pts* terminal slaves ( pt_chown ) 1 Deprecated since kernel 2.1 Host private ssh key ( ssh-keysign ) 1 Restrict file access to specific binaries A few abstractions, many binaries 23

  24. Example 1: Protego mount Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 24

  25. Example 1: Protego mount /etc/fstab Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 25

  26. Example 1: Protego mount /dev/cdrom /cdrom iso9660 user ,ro 0 0 /etc/fstab Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 26

  27. Example 1: Protego mount /dev/cdrom /cdrom iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab /*Parse /etc/fstab*/ Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 27

  28. Example 1: Protego mount /dev/cdrom /cdrom iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 28

  29. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 29

  30. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 30

  31. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 31

  32. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root sys_mount() { Kernel if(!security_mount_ok(args)) return -EPERM; /proc/ mnt_policy do_mount(args); } Protego LSM This technique works for 3/28 setuid-root binaries 32

  33. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root sys_mount() { Kernel if(!security_mount_ok(args)) return -EPERM; /proc/ mnt_policy do_mount(args); } Protego LSM This technique works for 3/28 setuid-root binaries 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia Zsigmond (Wigner RCP) zsigmond.anna@wigner.mta.hu This tutorial Introductory presentation What is ROOT? (ROOT 6 series) Basic functionalities

822 views • 61 slides
Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng* Lisa Hua* Miryung Kim + Kathryn S. McKinley The University of Texas at

340 views • 19 slides
Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid Jeff Chase Duke University The need for access control Processes run programs on behalf of users. ( subjects )

1.02k views • 70 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook Oh(mat@monkey.org,oh.jeongwook@gmail.com) Jeongwook Oh works on eEye's flagship product called &quot;Blink&quot;. He develops traffic analysis module that filters

841 views • 60 slides
Root Cause Analysis for HTML Presentation Failures using Search-Based Techniques Sonal Mahajan,

Root Cause Analysis for HTML Presentation Failures using Search-Based Techniques Sonal Mahajan,

Root Cause Analysis for HTML Presentation Failures using Search-Based Techniques Sonal Mahajan, Bailan Li, William G.J. Halfond Department of Computer Science University of Southern California What is a Presentation Failure? Web page rendering

664 views • 48 slides
Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future ET detector Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET detector detectors The (disputed) existence of IMBHs Modeling BBH Luca

199 views • 16 slides
PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok Jeon Junghwan Rhee Chung Hwan Kim Zhichun Li Mathias Payer Byoungyoung Lee Zhenyu Wu Outline Motivation Background PoLPer

249 views • 24 slides
Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan 2 , M. Pouget 3 , C. Yap 1 1 Courant Institute of Mathematical Sciences, New York University, USA 2 Lehman College, City University of New York, USA

1.27k views • 100 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan &amp; Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Practical Linear- -value value Practical Linear Approximation Techniques Approximation

Practical Linear- -value value Practical Linear Approximation Techniques Approximation

Practical Linear- -value value Practical Linear Approximation Techniques Approximation Techniques for First- -order order MDPs MDPs for First &amp; Craig Sanner &amp; Scott Sanner Craig Boutilier Boutilier Scott University of Toronto

430 views • 17 slides
Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with Phantom Christopher M. P . Russell Pontificia Universidad Catlica de Chile crussell@udel.edu @chrastropher astro.puc.cl/~crussell Phantom

589 views • 43 slides
Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING archive/Nick Szymanek Russell et al. 2007 Stirling et al. 2001 Black Hole X-ray binaries: key sources for understanding accretion-ejection phenomenology

347 views • 21 slides
A P2P Dropbox @mafintosh 8 person team Based in 5 countries &gt;1500 npm modules &gt;1500 npm

A P2P Dropbox @mafintosh 8 person team Based in 5 countries &gt;1500 npm modules &gt;1500 npm

A P2P Dropbox @mafintosh 8 person team Based in 5 countries &gt;1500 npm modules &gt;1500 npm modules (~0.5% of npm) We make tools that help scientists share data We make tools that help scientists share data (and other people as

1.6k views • 102 slides
Embedded Linux Conference 2016 Buildroot vs. OpenEmbedded/Yocto Project: A Four Hands Discussion

Embedded Linux Conference 2016 Buildroot vs. OpenEmbedded/Yocto Project: A Four Hands Discussion

Embedded Linux Conference 2016 Buildroot vs. OpenEmbedded/Yocto Project: A Four Hands Discussion Alexandre Belloni, Thomas Petazzoni Free Electrons alexandre.belloni@free-electrons.com thomas.petazzoni@free-electrons.com Free Electrons -

874 views • 32 slides
Topics in trees and Catalan numbers See Chapter 8.1.2.1. These slides have more details than the

Topics in trees and Catalan numbers See Chapter 8.1.2.1. These slides have more details than the

Topics in trees and Catalan numbers See Chapter 8.1.2.1. These slides have more details than the book. Prof. Tesler Math 184A Winter 2019 Prof. Tesler Catalan numbers Math 184A / Winter 2019 1 / 24 Rooted trees 4 2 3 5 1 3 8 4 5 6

731 views • 24 slides
Services Using E-Tree Service Type Ethernet Private Tree (EP-Tree) and Ethernet Virtual Private

Services Using E-Tree Service Type Ethernet Private Tree (EP-Tree) and Ethernet Virtual Private

E-TREE Requirements and Solution space Jim Uttaro (uttaro@att.com) Nick Delregno (nick.delregno@verizon.com) Florin Balus (florin.balus@alcatel-lucent.com) Services Using E-Tree Service Type Ethernet Private Tree (EP-Tree) and Ethernet

386 views • 12 slides
Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon

Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon

Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon University Joint with Mike Howard and Jon Pincus, Microsoft Corporation Motivation How do we measure progress? What effect has Microsofts

533 views • 41 slides
Intro to Trees After today, you should be able to use tree terminology write recursive

Intro to Trees After today, you should be able to use tree terminology write recursive

Intro to Trees After today, you should be able to use tree terminology write recursive tree functions Checkout Bina narySea ySearchT chTree ree from SVN Review yesterdays quizzes on Java Collections and Data Structures

521 views • 14 slides
Natural Language Understanding Lecture 7: Introduction to Dependency Parsing Adam Lopez Credits:

Natural Language Understanding Lecture 7: Introduction to Dependency Parsing Adam Lopez Credits:

Natural Language Understanding Lecture 7: Introduction to Dependency Parsing Adam Lopez Credits: Mirella Lapata, Frank Keller, and Mark Steedman 26 January 2018 School of Informatics University of Edinburgh alopez@inf.ed.ac.uk 1 Dependency

536 views • 30 slides
Roots, Ratios and Ramanujan 2 + , 2 + 2 + 1 1 + and 1 1+ 1 1+

Roots, Ratios and Ramanujan 2 + , 2 + 2 + 1 1 + and 1 1+ 1 1+

Roots, Ratios and Ramanujan 2 + , 2 + 2 + 1 1 + and 1 1+ 1 1+ 1 1+ 1+ Jon McCammond (U.C. Santa Barbara) 1 Outline I. Iteration II. Fractions III. Radicals IV. Fractals V. Conclusion 2 I.

546 views • 32 slides

More recommend