Wedge: Splitting Applications into Reduced-Privilege Compartments - - PowerPoint PPT Presentation

wedge splitting applications into reduced privilege
SMART_READER_LITE
LIVE PREVIEW

Wedge: Splitting Applications into Reduced-Privilege Compartments - - PowerPoint PPT Presentation

May 06, 2023 235 likes •845 views

Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits allow running arbitrary code

slide-1
SLIDE 1

Wedge: Splitting Applications into Reduced-Privilege Compartments

Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008

slide-2
SLIDE 2

Vulnerabilities threaten sensitive data

◮ Exploits allow running arbitrary code on servers. ◮ An exploited web server can be used to leak sensitive

information such as credit card numbers.

Have we managed to mitigate or prevent vulnerabilities?

200 400 600 800 1000 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 Vulnerabilities per year Time (years)

Source: osvdb.org

slide-3
SLIDE 3

Process-based privileges are too coarse-grained

Need to keep SSL web server’s RSA private key secret.

master worker

(create) (process)

network /etc/rsa key

(read) (file)

slide-4
SLIDE 4

Process-based privileges are too coarse-grained

Need to keep SSL web server’s RSA private key secret. Apache worker running as root:

◮ Can read any file. ◮ Can invoke any system call.

master worker

(create) (process)

network /etc/rsa key

(read) (file)

slide-5
SLIDE 5

Process-based privileges are too coarse-grained

Need to keep SSL web server’s RSA private key secret. Apache worker running as root:

◮ Can read any file. Fix: run as nobody. ◮ Can invoke any system call. Fix: use systrace, SELinux, . . .

master worker

(create) (process)

network /etc/rsa key

(read) (file)

master worker

(create) (process)

network /etc/rsa key

(read) (file)

slide-6
SLIDE 6

Process-based privileges are too coarse-grained

Need to keep SSL web server’s RSA private key secret. Apache worker running as root:

◮ Can read any file. Fix: run as nobody. ◮ Can invoke any system call. Fix: use systrace, SELinux, . . .

Are we done protecting the private key?

master worker

(create) (process)

network /etc/rsa key

(read) (file)

master worker

(create) (process)

network /etc/rsa key

(read) (file)

slide-7
SLIDE 7

Process-based privileges are too coarse-grained

Need to keep SSL web server’s RSA private key secret. Apache worker running as root:

◮ Can read any file. Fix: run as nobody. ◮ Can invoke any system call. Fix: use systrace, SELinux, . . .

Are we done protecting the private key?

master worker

(create) (process)

network /etc/rsa key

(read) (file)

slide-8
SLIDE 8

Problem: processes grant all code access to all memory

Need to keep SSL web server’s RSA private key secret.

HTTP parser SSL engine private key

(worker process) (memory) (code)

network

slide-9
SLIDE 9

Problem: processes grant all code access to all memory

Need to keep SSL web server’s RSA private key secret.

HTTP parser SSL engine private key

(worker process) (memory) (code)

network

(read)

slide-10
SLIDE 10

Problem: processes grant all code access to all memory

Need to keep SSL web server’s RSA private key secret.

HTTP parser SSL engine private key

(worker process) (memory) (code)

network

(read)

slide-11
SLIDE 11

Problem: processes grant all code access to all memory

Need to keep SSL web server’s RSA private key secret. This talk: how to limit access of code to memory at fine granularity.

HTTP parser SSL engine private key

(worker process) (memory) (code)

network

(read)

slide-12
SLIDE 12

Old idea: principle of least privilege

Principle of least privilege:

◮ Partition code into compartments. ◮ Assign each compartment the minimal privileges it needs for

its operation.

◮ Restrict interface and interactions between compartments.

How to implement compartments?

◮ Processes?

slide-13
SLIDE 13

Why are traditional processes not sufficient?

Creating compartments with UNIX, e.g., fork:

◮ Default grant. Child inherits memory map and file descriptors.

Operation of fork

parent private key /etc/passwd

slide-14
SLIDE 14

Why are traditional processes not sufficient?

Creating compartments with UNIX, e.g., fork:

◮ Default grant. Child inherits memory map and file descriptors.

Operation of fork

parent private key /etc/passwd fork child

slide-15
SLIDE 15

Why are traditional processes not sufficient?

Creating compartments with UNIX, e.g., fork:

◮ Default grant. Child inherits memory map and file descriptors.

Operation of fork

parent private key /etc/passwd fork child

Default-deny: inherit nothing from parent. Closer to least-privilege.

slide-16
SLIDE 16

But default-deny is difficult to use for legacy code

How many permissions do we need to explicitly grant?

HTTP parser SSL engine private key

(worker process) (memory) (code)

network

slide-17
SLIDE 17

But default-deny is difficult to use for legacy code

How many permissions do we need to explicitly grant?

Worker

Worker

Apache’s client handler uses over 600 memory objects.

slide-18
SLIDE 18

Contributions

◮ New system calls for default-deny.

◮ Creating compartments. ◮ Specifying privileges.

◮ Tools to make default-deny usable when partitioning

legacy code.

◮ Identifying the privileges for compartments.

slide-19
SLIDE 19

Outline

  • 1. Wedge.

◮ New system calls for default-deny. ◮ Crowbar: tool for partitioning legacy code.

  • 2. Wedge applied to Apache+OpenSSL.
slide-20
SLIDE 20

sthreads: default-deny compartments

parent private key /etc/passwd

◮ Like processes, but default-deny. ◮ Like threads: can easily share pointers and file descriptors. ◮ Programmer must explicitly grant all permissions.

slide-21
SLIDE 21

sthreads: default-deny compartments

parent private key /etc/passwd sthread create child

(sthread) ◮ Like processes, but default-deny. ◮ Like threads: can easily share pointers and file descriptors. ◮ Programmer must explicitly grant all permissions.

slide-22
SLIDE 22

Virtual memory {

char *key, *buffer; char *config; key = malloc(16); buffer = malloc(80); … config = malloc(128);

}

page n page n+1

parser

slide-23
SLIDE 23

Tagged memory {

tag = tag_new(); key = malloc(16); buffer = smalloc(80,tag); … config = smalloc(128,tag);

}

page n page n+1

parser

slide-24
SLIDE 24

How can sthreads use sensitive data? Callgates.

Problem: unprivileged code cannot access sensitive data directly but must still use it.

parser private key

Callgates: an entry-point with predefined privileges.

◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

slide-25
SLIDE 25

How can sthreads use sensitive data? Callgates.

Problem: unprivileged code cannot access sensitive data directly but must still use it.

parser private key session key

Callgates: an entry-point with predefined privileges.

◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

slide-26
SLIDE 26

How can sthreads use sensitive data? Callgates.

Problem: unprivileged code cannot access sensitive data directly but must still use it.

client handler private key session key setup session key invoke

Callgates: an entry-point with predefined privileges.

◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

slide-27
SLIDE 27

How can sthreads use sensitive data? Callgates.

Problem: unprivileged code cannot access sensitive data directly but must still use it.

client handler private key session key setup session key invoke

Callgates: an entry-point with predefined privileges.

◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

slide-28
SLIDE 28

Summary: Wedge applied to Apache

client handler session key setup session key private key

◮ Sthreads: default-deny compartments—low privilege. ◮ Callgates: privilege elevation—high privilege. ◮ Tagged memory: naming memory for privilege specification.

slide-29
SLIDE 29

Ad-hoc code study?

Worker

Worker

Apache’s client handler needs access to 222 heap objects and 389

  • globals. Need to read 72 source files (for heap only).
  • 1. Which code is executed?
  • 2. What objects do pointers point to?
  • 3. Where were objects allocated?

If privilege is omitted, you get a crash—repeat until no crashes.

slide-30
SLIDE 30

Static analysis of memory accesses?

Static analysis for C code does not have runtime context (e.g., format string for printf). Consequences:

◮ May fail. e.g., function pointers. ◮ If conservative, may give superset of privileges actually

  • needed. e.g., may follow code paths corresponding to exploits!
slide-31
SLIDE 31

Crowbar: runtime analysis of memory accesses

Dynamic analysis yields least privilege:

parser GET URL POST data private key

Server uses minimal privileges to execute an innocuous request.

  • 1. Use runtime instrumentation to produce memory trace.
  • 2. Train using benign requests.

Need to ensure high trace coverage, e.g., with test suite.

slide-32
SLIDE 32

Crowbar: runtime analysis of memory accesses

Dynamic analysis yields least privilege:

parser GET URL POST data private key

Server uses minimal privileges to execute an innocuous request.

  • 1. Use runtime instrumentation to produce memory trace.
  • 2. Train using benign requests.

Need to ensure high trace coverage, e.g., with test suite.

slide-33
SLIDE 33

Crowbar: runtime analysis of memory accesses

Dynamic analysis yields least privilege:

parser GET URL POST data private key

Server uses minimal privileges to execute an innocuous request.

  • 1. Use runtime instrumentation to produce memory trace.
  • 2. Train using benign requests.

Need to ensure high trace coverage, e.g., with test suite.

slide-34
SLIDE 34

Outline

  • 1. Wedge.

◮ New system calls for default-deny. ◮ Crowbar: tool for partitioning legacy code.

  • 2. Wedge applied to Apache+OpenSSL.
slide-35
SLIDE 35

Protecting keys and sensitive user data

Goal: protect sensitive data (e.g., credit card).

client handler session key setup session key private key

Have we protected sensitive data? Are we done?

slide-36
SLIDE 36

Protecting keys and sensitive user data

Goal: protect sensitive data (e.g., credit card).

client handler session key setup session key private key

Have we protected sensitive data? Are we done? Threat models, with increasing complexity:

  • 1. Passive eavesdropping and server exploit.
  • 2. Active man-in-the-middle and server exploit.
slide-37
SLIDE 37

Attacker can generate arbitrary session key

Session key components exchanged during SSL handshake

client server client random server random

encrypted pre-master secret

slide-38
SLIDE 38

Attacker can generate arbitrary session key

Session key components exchanged during SSL handshake

client server client random server random

encrypted pre-master secret

setup session key client handler private key

slide-39
SLIDE 39

Attacker can generate arbitrary session key

Session key components exchanged during SSL handshake

client server client random server random

encrypted pre-master secret

setup session key client handler private key

client random encrypted pre-master secret server random

slide-40
SLIDE 40

Attacker can generate arbitrary session key

Session key components exchanged during SSL handshake

client server client random server random

encrypted pre-master secret

setup session key client handler private key

client random encrypted pre-master secret server random

session key

slide-41
SLIDE 41

Attacker can generate arbitrary session key

Session key components exchanged during SSL handshake

client server client random server random

encrypted pre-master secret

setup session key client handler private key

client random encrypted pre-master secret server random

session key

HACKED

slide-42
SLIDE 42

Attacker can generate arbitrary session key

Session key components exchanged during SSL handshake

client server client random server random

encrypted pre-master secret

setup session key client handler private key

client random encrypted pre-master secret random session key

slide-43
SLIDE 43

Preventing arbitrary session key leak

client handler session key setup session key private key

slide-44
SLIDE 44

Preventing arbitrary session key leak

client handler session key setup session key private key server random

Attacker exploiting client handler:

◮ Has no control over server random and session key generation. ◮ Cannot generate session key of eavesdropped sessions. ◮ Can only obtain a new, personal session key.

slide-45
SLIDE 45

Vulnerable to man-in-the-middle

Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks:

client MITM server

slide-46
SLIDE 46

Vulnerable to man-in-the-middle

Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks:

client MITM server client random server random pre-master secret

slide-47
SLIDE 47

Vulnerable to man-in-the-middle

Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks:

client MITM server client random server random pre-master secret exploit session key

slide-48
SLIDE 48

Vulnerable to man-in-the-middle

Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks:

client MITM server client random server random pre-master secret exploit session key

End of handshake Encryption starts

slide-49
SLIDE 49

Vulnerable to man-in-the-middle

Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks:

client MITM server client random server random pre-master secret exploit session key

End of handshake Encryption starts

POST cardnum

slide-50
SLIDE 50

Vulnerable to man-in-the-middle

Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks:

client MITM server client random server random pre-master secret exploit session key

End of handshake Encryption starts

POST cardnum

slide-51
SLIDE 51

Man-in-the-middle defense overview

Can we protect against a MITM that has also exploited the server?

master SSL handshake network

(clear-text)

Strategy:

  • 1. Prevent session key disclosure during handshake.
slide-52
SLIDE 52

Man-in-the-middle defense overview

Can we protect against a MITM that has also exploited the server?

master SSL handshake network

(clear-text)

client handler

(MACed channel)

Strategy:

  • 1. Prevent session key disclosure during handshake.
  • 2. MITM cannot exploit client handler without session key:

packets with invalid MAC will be dropped.

slide-53
SLIDE 53

Implementation

Sthreads:

◮ Linux v2.6.19. 496 line diff, 1485 line module. ◮ Userland library: 1154 lines.

Crowbar:

◮ Binary instrumentation tool (using Pin): 2391 lines. ◮ Post processor: 959 lines.

Applications we partitioned using Wedge:

◮ Apache+OpenSSL. ◮ OpenSSH (prior to privilege separation).

slide-54
SLIDE 54

Wedge reduces size of privileged code

Have we reduced the size of the privileged code?

slide-55
SLIDE 55

Wedge reduces size of privileged code

Have we reduced the size of the privileged code?

Line counts in Wedge’s Apache+SSL

Component Line count Percentage Apache+OpenSSL total 252,030 100% Default config after accept 60,844 Callgates total (privileged) 15,769 6% Lines changed when partitioning: 1,700 (0.7%).

slide-56
SLIDE 56

Crowbar performs acceptably for developers

Crowbar is used by developers for partitioning. It is not an

  • verhead seen during production run-time.

Does Crowbar perform acceptably for developers?

◮ A trace for Apache was obtained in 15s. ◮ Traces for SPEC applications: 82s on average.

Anecdotally, one trace was enough for our Apache (and OpenSSH) partitioning.

slide-57
SLIDE 57

Enhanced privacy at acceptable cost

Throughput of many clients retrieving small static page:

No sessions cached

200 400 600 800 1000 1200 1400 1600 Vanilla Wedge Requests/s x 0.53x

slide-58
SLIDE 58

Enhanced privacy at acceptable cost

Throughput of many clients retrieving small static page:

No sessions cached

200 400 600 800 1000 1200 1400 1600 Vanilla Wedge Requests/s x 0.53x

All sessions cached

200 400 600 800 1000 1200 1400 1600 Vanilla Wedge Requests/s x 0.22x

◮ Vanilla reuses workers—we create new sthreads. ◮ We create many compartments & callgates per session.

slide-59
SLIDE 59

Related work

We build on privilege separation: OpenSSH, OKWS, Privtrans

◮ Wedge allows finer-grained partitioning, and with default-deny,

encourages tighter privileges for each compartment. DIFC: JIF, Asbestos, HiStar, Flume, DStar

◮ Crowbar is complementary: could help partitioning legacy

code in DIFC systems.

◮ Wedge does not allow unprivileged code to compute over

sensitive data.

slide-60
SLIDE 60

Conclusion

Wedge:

◮ Generalizes privilege separation and provides primitives for

fine-grained default-deny partitioning of applications.

◮ Crowbar: tool to aid in partitioning legacy code.

Wedge enables fine-grained partitioning of legacy code:

◮ Programmers can defend applications against stronger

adversaries and more complex threat models than those addressed to date. http://nrg.cs.ucl.ac.uk/wedge/