1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.

Slides:

Advertisements

Similar presentations

Configuration management

Advertisements

Ch.21 Software Its Nature and Qualities. Ch.22 Outline Software engineering (SE) is an intellectual activity and thus human-intensive Software is built.

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 1) history and.

Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Vinay Gangasani vcg

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics.

CS252: Systems Programming Ninghui Li Based on Slides by Prof. Gustavo Rodriguez-Rivera Topic 17: Signals, Process Credentials.

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

Software Security David Wagner University of California at Berkeley.

1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Reliability of Parallel Build Systems Derrick Coetzee, George Necula UC Berkeley Creative Commons Zero Waiver: To the extent possible under law, the author,

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

A Visual Interactive Tool For the Course “Automata and Formal Languages” Holon Institute of Technology Mark Trakhtenbrot, Vladimir Nodelman, Avi Lamai.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Unix System Administration Rootly Powers Chapter 3.

Raven Services Update December 2003 David Wallis Senior Systems Consultant Raven Computers Ltd.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

Secure Operating Systems Lesson B: Let’s go break something.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.

CS426Fall 2010/Lecture 91 Computer Security CS 426 Lecture 9 Unix Access Control.

Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng

Software quality factors

UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.

1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,

Speaker: Xiaojiang Du Authors: Xiali Hei, Xiaojiang Du and Shan Lin Temple University.

Android Permissions Demystified

Information Security CS 526

Design Principles and Common Security Related Programming Problems

Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.

CENG334 Introduction to Operating Systems 1 Erol Sahin Dept of Computer Eng. Middle East Technical University Ankara, TURKEY URL:

Race conditions and synchronization issues Exploiting UNIX.

1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.

Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Fundamentals of Fault-Tolerant Distributed Computing In Asynchronous Environments Paper by Felix C. Gartner Graeme Coakley COEN 317 November 23, 2003.

Midterm NS Note = Anzahl Pkte/48 x /4; 2. 4/4; 3. 4/4; 4. 4/ /16; 6. 16/16 2.Durchschnitt: 4.5.

Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

Computer System Structures

Let’s look at an example

CS703 - Advanced Operating Systems

SYSTEM ADMINISTRATION PART I by İlker Korkmaz and Kaya Oğuz

Regression Testing with its types

Generating Automated Tests from Behavior Models

APEx: Automated Inference of Error Specifications for C APIs

UNIX System Protection

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Advanced UNIX progamming

MOPS: an Infrastructure for Examining Security Properties of Software

Set-UID Privileged Programs

Race Condition Vulnerability

Presentation transcript:

1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International

2 The Setuid API User ID model: the basis for access control in Unix Each process has three user IDs: –ruid: the real user ID –euid: the effective user ID –suid: the saved user ID The setuid API offers these system calls: –setuid, seteuid, setreuid, setresuid

3 The Mystery Which user IDs does setuid(x) set? –FreeBSD: always ruid=euid=suid=x –Linux/Solaris: always euid=x, sometimes ruid=suid=x Do these calls always succeed? –setuid ( geteuid ( ) ) May fail in Linux and Solaris –seteuid ( geteuid ( ) ) May fail in FreeBSD –setreuid ( geteuid ( ), getuid ( ) ) May fail in FreeBSD

4 The Problems Semantic mess –Design: confusing, surprising –Portability: semantic differences among OSs (e.g. Linux, Solaris, FreeBSD) –Documentation: incomplete, inaccurate, or incorrect Reason: historical artifacts Vulnerabilities –Sendmail and , etc.

5 Outline: Demystify the Setuid API Identify the precise semantics –Use a formal model –Build the model automatically by state space exploration Check for –Semantic pitfalls –Documentation errors –Inconsistency in OS kernels –Proper use of API calls in programs Propose guidelines

6 Formal Model of the Setuid API Finite State Automaton (FSA) model –States: describing the user IDs of a process –Transitions: describing the semantics of the setuid API calls ruid=1 euid=0 suid=0 ruid=1 euid=1 suid=1 ruid=1 euid=1 suid=0 setuid(1) seteuid(1) seteuid(0) Abstraction 0: root uid 1: a non-root uid

7 Construct the FSA Challenge –Large number of transitions –Manual construction is laborious, error-prone Solution –Automatic construction by a state space explorer: Exhaustively makes all setuid API calls at each state of the FSA Observes the resulting transitions

8 ruid=1 euid=1 suid=0 ruid=0 euid=0 suid=0 ruid=1 euid=0 suid=0 ruid=0 euid=1 suid=0 ruid=1 euid=0 suid=1 ruid=1 euid=1 suid=1 ruid=0 euid=1 suid=1 ruid=0 euid=0 suid=1 setuid(1) seteuid(1) seteuid(0) setuid(0) setuid(1)

9 Linux FreeBSD FSAs for setuid transitions

10 FSA for setresuid in Linux

11 Benefits of Using Formal Model Correctness –Intuition: the transitions in the FSA are observed from running programs Efficiency –The FSA is constructed automatically by the explorer Portability: the explorer is portable to –Different Unix systems –Different versions of kernels Lots of applications!

12 Find Documentation Errors Incomplete man page –setuid(2) in Redhat Linux 7.2: fails to mention the Linux capabilities which affect how setuid() behaves Wrong man pages –FreeBSD 4.4 Unprivileged users may change the ruid to the euid and vice versa –Redhat Linux 7.2 The setgid function checks the egid of the caller and if it is the superuser, … suid euid

13 Detect Inconsistencies in OS Kernel File system uid (fsuid) in Linux –Is used for filesystem permission checking –Normally follows euid An invariant in Linux ( kernel/sys.c ) –fsuid is 0 only if at least one of ruid, euid, suid is 0 Security motivation –Root privilege in fsuid is automatically dropped when it is dropped from ruid, euid, suid –Ensures that an fsuid-unware application can safely drop root privilege in fsuid

14 Detect Inconsistencies in OS Kernel (contd.) A bug in Linux kernels <= breaks the invariant –The bug is in setresuid() We found the bug using the formal model –Our patch was applied to kernel Lessons –Security design is difficult to get right –Formal models are very useful in verifying security models

15 Check Proper Usage of the Setuid API in Programs Questions –Can a setuid API call fail in this program? –Can this program fail to drop privilege? –Which part of this program run with privilege? Approach –Model checking security properties in programs using the FSA of the setuid API Results –Found known setuid bugs in sendmail and

16 Guidelines Use setresuid where available –Explicit, clear semantics –Transactional (vs. setuid which is not transactional) Obey the proper order of API calls –Drop group privileges before user privileges

17 Guidelines (contd.) Check for errors –Check return code –Verify user IDs are as expected after API calls (because some calls are not transactional) –Verify failures How to permanently drop privileges confidently? 1.Drop privilege 2.Try to regain privilege 3.Ensure that Step 2 fails

18 Related Work Unix man pages Chris Torek and Casper Dik. Setuid Mess Matt Bishop. How to write a setuid program Timothy Levin, S. Padilla, Cynthia Irvine. A Formal Model for UNIX Setuid

19 Conclusion: Setuid Demystified We’ve identified the precise semantics –Use an FSA model –Built the model automatically by state space exploration Formal models revealed pitfalls and bugs –We discovered semantic pitfalls –We found new documentation errors –We detected the fsuid bug in the Linux kernel –We verified the proper use of setuid API in some programs Follow our guidelines for the setuid API

20 Further Information

21 FSA for setreuid in Linux