practical techniques to obviate setuid to root binaries
play

Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain - PowerPoint PPT Presentation

Jun 02, 2023 •26 likes •616 views

Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

  1. Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

  2. Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 Root Kernel 2

  3. Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 /* Parse arguments */ sys_mount(args); Root Kernel 3

  4. Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 /* Parse arguments */ sys_mount(args); root has all Root capabilities Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 4

  5. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ sys_mount(args); user has no User capabilities Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 5

  6. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ Setuid to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 6

  7. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ Setuid to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 7

  8. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 to Root /etc/fstab sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 8

  9. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 if(ruid == 0 || to Root /etc/fstab user_mount_ok(args)) sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 9

  10. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 /* Exploit if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd =open(“ rootkit.ko ”) sys_mount(args); finit_module(fd); rootkit.ko rootkit.ko User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 10

  11. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 /* Exploit if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd =open(“ rootkit.ko ”) sys_mount(args); finit_module(fd); rootkit.ko rootkit.ko User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return – EPERM; do_mount(); } 11

  12. Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom /* Parse arguments */ Setuid iso9660 user ,ro 0 0 /* Exploit if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd =open(“ rootkit.ko ”) sys_mount(args); finit_module(fd); rootkit.ko root has all User capabilities sys_finit_module() { Kernel sys_mount() { if(!capable(CAP_SYS_MODULE)) if(!capable(CAP_SYS_ADMIN)) return – EPERM; return – EPERM; rootkit.ko do_mount(); } do_init_module(); } 12

  13. How is Setuid-Root Used in Practice? Installation Percentage 100 80 26 Binaries on 89% systems 60 89% 40 83 Binaries on <0.89% systems 20 0 26 0 10 20 30 40 50 60 70 80 90 100 110 120 Setuid-to-Root Binaries 13

  14. Can we get rid of setuid-to-root?  Surprisingly feasible to obviate setuid-root  10 underlying privileged abstractions ~  Protego prototype change 715 LoC in kernel  De-privileged 12,732 lines of trusted binary code  < 2% kernel compile time overhead over Linux 3.6.0  Ongoing investigation of long tail 14

  15. Outline  Background  Insights and design principles  Protego overview and examples  Evaluation 15

  16. Linux Capabilities  Linux file POSIX capabilities  Not same as pointers with access control  Divide root privilege into 36 different capabilities  Enforce least privilege for administrator  Too coarse for untrusted user  Many privileged actions with just CAP_NET_ADMIN Need to think about least privilege for untrusted user 16

  17. Efforts to Mitigate Setuid-Root Risks  Ubuntu/Fedora try to limit use of setuid-root  Privilege Bracketing, consolidation, fs permissions  Not able to completely eliminate setuid-root  Some binaries have point alternatives  SELinux enforces relatively fine-grained security  Still too liberal for least privilege of user  SELinux introduces substantial complexity 17

  18. What can we do about setuid-root risk? 18

  19. How do we approach this problem? Installation Percentage  Studied 28 in detail 100 80  Order by popularity 60 40  Study policies in binaries 20 0  Why is root needed? 0 10 20 30 40 50 60 70 80 90 100 110 120  Simpler alternative in kernel? Setuid-to-Root Binaries  Goal: Non-admin never raises privilege 19

  20. Setuid-Root: Unix Security Duct Tape  Kernel policy mismatch with system policy  Kernel : only root can mount anywhere  System : any user can mount at safe locations  Point solutions used as duct tape  Setuid binary mount bridges the gap Generally setuid patches kernel and system policies 20

  21. Interface Designs can Thwart Least Privilege  Interface design choice may need more privilege  dmcrypt-get-device use privileged ioctl  Reports physical device under encrypted device  Also discloses the private key  Can get same info from /sys without privilege  Maintainers agreed to use /sys interface. Sometimes setuid indicates programmer error 21

  22. Protego Design  No need for trusted apps to enforce system policy  Inform kernel about system policy  Enforce system policy using Linux Security Module  Policies orthogonal to AppArmor, SELinux, etc.  Object-based policies for unprivileged users  Adjust the interfaces that need more privilege  Maintain backwards compatibility for user 22

  23. System Abstractions for Setuid Binaries Privileged Interface Used by What do we do? mount , umount 3 Whitelist safe locations and options socket ( ping ) 5 Apply firewall rules on raw sockets Credential databases ( passwd ) 5 Fragment to per-user or pergroup files, matching DAC granularity. ioctl ( pppd ) 2 Add LSM hooks to verify new routes bind ( mail ) 3 Map low port to (binary, userid) pair setuid, setgid ( sudo ) 7 Delegation Framework : LSM hooks to check delegation rules & recency Video driver control state ( X ) 1 Kernel Mode Switching : Context switches video devices in the kernel /dev/pts* terminal slaves ( pt_chown ) 1 Deprecated since kernel 2.1 Host private ssh key ( ssh-keysign ) 1 Restrict file access to specific binaries A few abstractions, many binaries 23

  24. Example 1: Protego mount Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 24

  25. Example 1: Protego mount /etc/fstab Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 25

  26. Example 1: Protego mount /dev/cdrom /cdrom iso9660 user ,ro 0 0 /etc/fstab Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 26

  27. Example 1: Protego mount /dev/cdrom /cdrom iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab /*Parse /etc/fstab*/ Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 27

  28. Example 1: Protego mount /dev/cdrom /cdrom iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 28

  29. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 29

  30. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 30

  31. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 31

  32. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root sys_mount() { Kernel if(!security_mount_ok(args)) return -EPERM; /proc/ mnt_policy do_mount(args); } Protego LSM This technique works for 3/28 setuid-root binaries 32

  33. Example 1: Protego mount /dev/cdrom /cdrom Unprivileged user iso9660 user ,ro 0 0 Privileged Daemon /etc/fstab mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root sys_mount() { Kernel if(!security_mount_ok(args)) return -EPERM; /proc/ mnt_policy do_mount(args); } Protego LSM This technique works for 3/28 setuid-root binaries 33

Recommend

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia Zsigmond (Wigner RCP) zsigmond.anna@wigner.mta.hu This tutorial Introductory presentation What is ROOT? (ROOT 6 series) Basic functionalities

822 views • 61 slides
Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng* Lisa Hua* Miryung Kim + Kathryn S. McKinley The University of Texas at

340 views • 19 slides
Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid Jeff Chase Duke University The need for access control Processes run programs on behalf of users. ( subjects )

1.02k views • 70 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook Oh(mat@monkey.org,oh.jeongwook@gmail.com) Jeongwook Oh works on eEye's flagship product called &quot;Blink&quot;. He develops traffic analysis module that filters

841 views • 60 slides
Root Cause Analysis for HTML Presentation Failures using Search-Based Techniques Sonal Mahajan,

Root Cause Analysis for HTML Presentation Failures using Search-Based Techniques Sonal Mahajan,

Root Cause Analysis for HTML Presentation Failures using Search-Based Techniques Sonal Mahajan, Bailan Li, William G.J. Halfond Department of Computer Science University of Southern California What is a Presentation Failure? Web page rendering

664 views • 48 slides
Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future ET detector Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET detector detectors The (disputed) existence of IMBHs Modeling BBH Luca

199 views • 16 slides
PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok Jeon Junghwan Rhee Chung Hwan Kim Zhichun Li Mathias Payer Byoungyoung Lee Zhenyu Wu Outline Motivation Background PoLPer

249 views • 24 slides
Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan 2 , M. Pouget 3 , C. Yap 1 1 Courant Institute of Mathematical Sciences, New York University, USA 2 Lehman College, City University of New York, USA

1.27k views • 100 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan &amp; Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Practical Linear- -value value Practical Linear Approximation Techniques Approximation

Practical Linear- -value value Practical Linear Approximation Techniques Approximation

Practical Linear- -value value Practical Linear Approximation Techniques Approximation Techniques for First- -order order MDPs MDPs for First &amp; Craig Sanner &amp; Scott Sanner Craig Boutilier Boutilier Scott University of Toronto

430 views • 17 slides
Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with Phantom Christopher M. P . Russell Pontificia Universidad Catlica de Chile crussell@udel.edu @chrastropher astro.puc.cl/~crussell Phantom

589 views • 43 slides
Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING archive/Nick Szymanek Russell et al. 2007 Stirling et al. 2001 Black Hole X-ray binaries: key sources for understanding accretion-ejection phenomenology

347 views • 21 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
in M&amp;A Transactions: Practical Tactics and Techniques Crafting Provisions that Protect Buyer

in M&amp;A Transactions: Practical Tactics and Techniques Crafting Provisions that Protect Buyer

Presenting a live 90-minute webinar with interactive Q&amp;A Negotiating Covenants and Closing Conditions in M&amp;A Transactions: Practical Tactics and Techniques Crafting Provisions that Protect Buyer and Seller Interests and Minimize Legal

458 views • 33 slides
A Practical Analysis of Kernelization Techniques for the Maximum Cut Problem NII Shonan Meeting |

A Practical Analysis of Kernelization Techniques for the Maximum Cut Problem NII Shonan Meeting |

A Practical Analysis of Kernelization Techniques for the Maximum Cut Problem NII Shonan Meeting | March 5, 2019 Damir Ferizovic, Sebastian Lamm , Matthias Mnich, Christian Schulz, Darren Strash DEPARTMENT OF INFORMATICS: INSTITUTE OF THEORETICAL

822 views • 43 slides
Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Departm ent Physics &amp; Astronom y The University of Texas at Brow nsville Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin Carlos Lousto with Manuela Campanelli &amp; Yosef Zlochower

365 views • 20 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
Dorian Dixon d.dixon@ulster.ac.uk The practical application of design of experiment techniques

Dorian Dixon d.dixon@ulster.ac.uk The practical application of design of experiment techniques

Dorian Dixon d.dixon@ulster.ac.uk The practical application of design of experiment techniques Many systems are highly complex with a large number of variables and output measures Examples include chemical manufacturing, formulations,

563 views • 25 slides
Practical Techniques for Verification and Validation of Robots Kerstin Eder with a demo by

Practical Techniques for Verification and Validation of Robots Kerstin Eder with a demo by

Practical Techniques for Verification and Validation of Robots Kerstin Eder with a demo by Dejanira Araiza Illan University of Bristol and Bristol Robotics Laboratory Would you swallow a robot? The Safety Challenge Autonomous Systems

705 views • 48 slides
Motivation Silicon-based techniques are approaching practical A Probabilistic Approach to Nano-

Motivation Silicon-based techniques are approaching practical A Probabilistic Approach to Nano-

Motivation Silicon-based techniques are approaching practical A Probabilistic Approach to Nano- limits computing J. Chen, J. Mundy, Y. Bai, S.-M. C. Chan, P. Petrica and R. I. Bahar Division of Engineering Brown University Acknowledgements:

545 views • 7 slides

More recommend