making linux protection mechanisms egalitarian with userfs
play

Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo - PowerPoint PPT Presentation

Sep 14, 2022 •20 likes •600 views

Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich MIT CSAIL Overview: How to build secure applications? Simple in principle : - reduce privileges of application components - enforce policy at

  1. Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich MIT CSAIL

  2. Overview: How to build secure applications? ● Simple in principle : - reduce privileges of application components - enforce policy at lower level (e.g. OS kernel) ● Difficult in practice (unless root user): - cannot create new principals - cannot reduce privileges

  3. This Talk: How to help programmers to reduce privileges and enforce security policy in Linux? by allocating and managing UIDs

  4. Today’s Unix-like OS ● UID is not a real user’s identity anymore (instead, also use UID as a protection principal ) i.e. nobody, www-data, wheelfs, etc. ● Existing protection mechanisms are using UID as a security principal i.e. filesystem permission

  5. Running example: DokuWiki

  6. Example: Security model of DokuWiki ● PHP based Wiki ● Run as a single UID ● Main features 1) Wiki users 2) Saving each page as a file 3) ACL on each page

  7. Example: Run DokuWiki php <UID: www-data >

  8. Example: Alice write to the page1 php <UID: www-data > alice open() write to page1 /doku/conf/ acl.php <UID: www-data > ACL of DokuWiki Pages /doku/pages/ page1 Alice : r/w Bob :r/- /doku/pages/ page2 Alice: r /- Bob : r/w

  9. Example: Alice write to the page1 php <UID: www-data > alice open() write to page1 /doku/conf/ acl.php <UID: www-data > write() /doku/pages/ page1 <UID: www-data >

  10. Example: Bob write to the page1 php <UID: www-data > bob open() write to page1 /doku/conf/ acl.php <UID: www-data > ACL of DokuWiki Pages /doku/pages/ page1 Alice : r/w Bob :r/- /doku/pages/ page2 Alice: r /- Bob : r/w

  11. Example: Bob write to the page1 php <UID: www-data > bob open() write to page1 /doku/conf/ acl.php <UID: www-data > failed to write

  12. Example: Vulnerability when checking ACL php <UID: www-data > bob open() write to page1 /doku/conf/ acl.php <UID: www-data > write() failed to write /doku/pages/ page1 <UID: www-data >

  13. Example: Vulnerability when checking ACL php The ACL check happens 40 times <UID: www-data > bob in DokuWiki’s code: New, potentially-buggy code in every app. open() write to page1 /doku/conf/ acl.php <UID: www-data > write() failed to write /doku/pages/ page1 <UID: www-data > CVE-2010-0288 : Insufficient Permission Check

  14. Strawman : Running php with different UID php <UID: wiki-alice > alice write() /doku/pages/ page1 write to page1 < wiki-alice=r/w ,others=r/-> php <UID: wiki-bob > bob write() /doku/pages/ page1 write to page1 <wiki-alice=r/w , others=r/- >

  15. Problem: Privilege separation is difficult in Unix ● Applications cannot - allocate new UIDs (e.g. adduser) - switch current UID (e.g. setuid) without root privilege ● Ironically , To reduce privilege, it requires root privilege ● Running DokuWiki as root is a security disaster

  16. Problem: Privilege separation is difficult in Unix Unix-like OS DokuWiki root root DokuWiki alice bob doku-wiki taesoo PHP PHP doku-alice doku-bob firefox PHP PHP

  17. Goal of this work Allowing any application to use these protection mechanisms without root privilege ● create a new principal ● reuse existing protection mechanisms ● use chroot and firewall mechanisms

  18. Outline ● Overview ● Design ● Example ● Implementation ● Evaluation ● Limitation ● Related work ● Conclusion

  19. Design: UID allocation ● Strawman : pick a previously unused UID ● Challenges ● who can call setuid()? ● How to reuse UIDs? ● How to make UIDs persistent ?

  20. Challenge: Who can call setuid()? ● Current Linux ● Root can switch to any UID with setuid() ● Non-root cannot switch to new UID with setuid() ● Ideal system requirements ● Need to represent privilege of each UID ● Need to specify who can access each UID ● Need to pass privilege between processes

  21. Key Idea: UserFS ● Maintaining UIDs as files in /proc-like filesystem ● Representing Privileges - each UID is represented by a file ● Delegating Privileges - change permissions on the file - send the file descriptor via FD passing ● Accountability - track allocated UIDs of each user in a directory

  22. Representing UIDs

  23. Representing UIDs mount UserFS at /userfs

  24. Representing UIDs represent UID number as a directory

  25. Representing UIDs “ctl file” to represent a privilege of each UID

  26. Representing Privileges ● Each UID has only one ctl file ● Any process having the file descriptor of the ctl - can change current UID e.g. setuid() - can pass it through Unix domain socket e.g. send() - can deallocate UID by deleting the ctl file e.g. unlink()

  27. Challenge: How to reuse UIDs? ● Ideally, unique ID to every principal ● Problem : - Linux use 32-bit UID - Reuse previously allocated UID ● Solution : - Introduce 64-bit #gen - Use #gen to detect unwanted UID reuse

  28. Challenge : How to make UIDs persistent ? ● For each UID, keep track of: - #gen - permissions of ctl file - creator’s UID in persistent database

  29. Managing UIDs File system UserFS Add a file Allocate a UID Delete a file Deallocate a UID Open a file Gain the privilege of UID Change permission Delegate a privilege

  30. Example: Using a Ufile fd= open ( /userfs/1000/ctl ) 1) Setuid ioctl (fd, IOCTL_SETUID ) 2) UID Allocation ioctl (fd, IOCTL_ALLOC , 2000 ) 3) Privilege Delegation sendmsg (receiver-socket, fd )

  31. Outline ● Overview ● Design ● Example ● Implementation ● Evaluation ● Limitation ● Related work ● Conclusion

  32. Example: Security model of UserFS-aware DokuWiki Key idea : Allocate UID for each Wiki user! - Authenticate users with non-root daemon - Use UID Sandboxing - Reuse well-tested ACL of filesystem

  33. Example: Authenticating users with non-root daemon ● Allocate new doku-admin UID (Wiki admin) ● When a new user signs up - doku-admin will allocate a UID for the user - doku-admin will gain read permission on ctl file ● When a user logs in - login-mgr (setuid to doku-admin ) check id/passwd - open the ctl file of the Wiki user - send it through Unix domain socket

  34. Example: Servicing DokuWiki with anonymous UID httpd php <UID: httpd > <UID: anony. > URL fork/exec DokuWiki

  35. Example: Authenticating users with non-root daemon php <UID: anony. > alice (ID/PASS)

  36. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS)

  37. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/ passwd open() <doku-admin:r/-> fd=open() /userfs/501/ ctl <doku-admin:r/->

  38. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/ passwd open() <doku-admin:r/-> fd=open() /userfs/501/ ctl send(fd) <doku-admin:r/-> ctl file

  39. Example: Authenticating users with non-root daemon login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> setuid(fd) php ctl file <UID: doku-alice >

  40. Example: UID Sandboxing ● Initially, launch PHP with anonymous UID ● After a Wiki user logins change UID of PHP to Wiki user’s UID - login-mgr will send the file descriptor of ctl file - receive the file descriptor of the Wiki user - call setuid() with the received file descriptor

  41. Example: UID Sandboxing login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> php ctl file <UID: doku-alice >

  42. Example: UID Sandboxing login-mgr php <UID: doku-admin > <UID: anony. > alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> php ctl file <UID: doku-alice >

  43. Example: UID Sandboxing login-mgr php <UID: doku-admin > <UID: anony. > ? 100 LoC! alice fork/exec (ID/PASS) /var/doku/passwd open() <doku-admin:r/-> fd=open() /userfs/501/ctl send(fd) <doku-admin:r/-> php ctl file <UID: doku-alice >

  44. Example: Reusing well-tested ACL of filesystem ● Save each Wiki page as a file with owner’s UID ● Align ACL of Wiki page to the file permission ● OS will enforce security policy

  45. Example: Reusing well-tested ACL of filesystem php <UID: doku-alice >

  46. Example: Reusing well-tested ACL of filesystem php <UID: doku-alice > write page1 /doku/pages/ page1 < doku-alice :r/w>

  47. Example: Reusing well-tested ACL of filesystem php <UID: doku-alice > write page1 /doku/pages/page1 < doku-alice :r/w> write page2 /doku/pages/ page2 < doku-alice :r/-> Bug on checking ACL? CVE-2010-0288: Insufficient Permission Check

Recommend

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

The Automotive Network Threats Protection mechanisms Conclusion Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan Studnia Vincent Nicomette Eric Alata Yves Deswarte Mohamed Ka aniche Renault

752 views • 40 slides
Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees

Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees

Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/danger.pdf Agenda Background Kernel Self Protection Project

493 views • 25 slides
Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with

Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with

Audit Mechanisms for Privacy Protection in Healthcare Environments Anupam Datta Joint work with Jeremiah Blocki, Nicolas Christin and Arunesh Sinha Carnegie Mellon University Position } Audit mechanisms are essential for privacy protection

337 views • 7 slides
Resource Allocation in Egalitarian Agent Societies Ulle Endriss 1 , Nicolas Maudet 2 , Fariba

Resource Allocation in Egalitarian Agent Societies Ulle Endriss 1 , Nicolas Maudet 2 , Fariba

Resource Allocation in Egalitarian Agent Societies MFI-2003 Resource Allocation in Egalitarian Agent Societies Ulle Endriss 1 , Nicolas Maudet 2 , Fariba Sadri 1 and Francesca Toni 1 1 Department of Computing, Imperial College London Email: {

610 views • 15 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
3/25/16 Decision Making Finances: Save money or spend it? The Neural Mechanisms of

3/25/16 Decision Making Finances: Save money or spend it? The Neural Mechanisms of

3/25/16 Decision Making Finances: Save money or spend it? The Neural Mechanisms of Eating: Indulge in a second Risky Decision Making dessert? Medical: Medication with side effects? Rebecca Weldon Underage drinking:

103 views • 9 slides
LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

Professor Ken Birman LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY Firewalls Memory Protection Type Checking as a Protection Tool VMs and Containers Intel SGX Security CORNELL CS4414 -

595 views • 43 slides
Barcelona Geographical situation Egalitarian City design BCN : 1.604.555 hab (16.716 hab /km 2 )

Barcelona Geographical situation Egalitarian City design BCN : 1.604.555 hab (16.716 hab /km 2 )

Cristina Junyent Barcelona Geographical situation Egalitarian City design BCN : 1.604.555 hab (16.716 hab /km 2 ) AMB : 5.029.181 hab (15.267 hab /km 2 TRAFFIC 200,000 people come daily 78% by car + 22% by bus Get rid one of five cars

353 views • 7 slides
BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR) Linux Debugging Challenges: Default debugger is intimidating to new users Tough to get symbols and source to show up Many tricks needed

544 views • 40 slides
Making Linux do Hard (Real-) Time Hard Time Linux 1 of 21 MBARI The Monterey Bay Aquarium

Making Linux do Hard (Real-) Time Hard Time Linux 1 of 21 MBARI The Monterey Bay Aquarium

Hard Time Making Linux do Hard (Real-) Time Hard Time Linux 1 of 21 MBARI The Monterey Bay Aquarium Research Institute is a Non-Pro fi t Research Center Founded in 1987 by Packard Foundation Furthering marine research through the peer e ff orts

500 views • 21 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid

Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid

Rights Protection Mechanisms (RPMs) A Discussion of the Clearinghouse, Uniform Rapid Suspension and Post Delegation Dispute Resolution Procedure October2009 DevelopmentofRightsProtec4onMechanisms

450 views • 19 slides
Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An

Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An

Financial Mechanisms in Support of Biodiversity Conservation and Protection in the Caribbean: An Overview Presented by Dr. Mark D. Griffith at the The Caribbean Workshop on Sustainable Finance and Resource Mobilization for Biodiversity,

539 views • 19 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
The Squared Circle: Fitting Trademark Law Principles into ICANNs Rights Protection Mechanisms

The Squared Circle: Fitting Trademark Law Principles into ICANNs Rights Protection Mechanisms

The Squared Circle: Fitting Trademark Law Principles into ICANNs Rights Protection Mechanisms G REG S HATAN M OSES &amp; S INGER LLP A PRIL 24, 2019 2 It has become apparent to all that a considerable amount of tension has unwittingly been

243 views • 22 slides
Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg

Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg

Argon2 and Egalitarian Computing Alex Biryukov Dmitry Khovratovich University of Luxembourg January 7th, 2016 I. Unfair battle Attack-defence paradigm Attackers have always been more powerful than defenders: Large and variable resources;

749 views • 36 slides
Agent-Based Systems Discussed procedures for making group decisions Simple mechanisms:

Agent-Based Systems Discussed procedures for making group decisions Simple mechanisms:

Agent-Based Systems Agent-Based Systems Where are we? Agent-Based Systems Discussed procedures for making group decisions Simple mechanisms: plurality, sequential majority Advanced mechanisms: Borda Count, Slater Ranking Michael

559 views • 4 slides
Building a self-contained auto-configuring Linux system on an iso9660 filesystem or Making

Building a self-contained auto-configuring Linux system on an iso9660 filesystem or Making

Building a self-contained auto-configuring Linux system on an iso9660 filesystem or Making Linux run from CD knoppix@knopper.net Klaus Knopper V2.1 August 24, 2001 Abstract Knoppix (Knoppers *nix) is an attempt to not

411 views • 15 slides
Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in File S Systems t User Access Control The operating system is fully trusted to enforce the security policy. Is it good enough? Is it

888 views • 44 slides
Egalitarian Society or Benevolent Dictatorship: The State of Cryptocurrency Governance Sarah

Egalitarian Society or Benevolent Dictatorship: The State of Cryptocurrency Governance Sarah

Egalitarian Society or Benevolent Dictatorship: The State of Cryptocurrency Governance Sarah Azouvi , Mary Maller, and Sarah Meiklejohn University College London BITCOIN18 1 What is decentralization? Rules set by creators Rules enforced

329 views • 16 slides
Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection Goals of protection schemes Domain of protection Mechanisms access matrix implementation of access matrix revocation of access

437 views • 14 slides
Community Session Review of All Rights Protection Mechanisms in All gTLDs Policy Development

Community Session Review of All Rights Protection Mechanisms in All gTLDs Policy Development

Community Session Review of All Rights Protection Mechanisms in All gTLDs Policy Development Process ICANN56 | 27 June 2016 Goals of this Cross Community Session To discuss with the community the proposed methodology and timelines

397 views • 18 slides

More recommend