1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California, USA August 5-9, 2002

2 Outline Identified problems of SETUID –What is SETUID –SETUID mystery and problems Provided solution –Use a formal model –Build the model automatically by state space exploration Demonstrated Applications of FSA –Understanding semantics of security operation API precisely –Verifying Documentation –Detecting Inconsistency in OS kernels –Checking Proper use of API calls in programs Proposed guidelines

3 What is setuid Access control in Unix is based the User ID model Each process has 3 user Ids: –Real uid (ruid) –Effective uid (euid) –Saved uid (suid) Uid-setting system calls –setuid() seteuid() setreuid() setresuid()

4 Historical Artifacts Early Unix Two user IDs: ruid and euid. Only one system call ： setuid Rules: System V Three user IDs: ruid, euid and suid Two system call: setuid and seteuid Rules: BSD Three user IDs: ruid, euid and suid System call: setuid, seteuid, and setreuid Rules: Modern Unix Three user IDs: ruid, euid and suid System call: setuid, seteuid, setreuid and setresuid Rules: Different system had different semantics ！！！

5 The Problems Semantic mess –Design: confusing, surprising –Portability: semantic differences among OSs (e.g. Linux, Solaris, FreeBSD) –Documentation: incomplete, inaccurate, or incorrect

6 Objective Understanding the semantics of security operation API in OS precisely Verifying their documentations Detecting inconsistency in OS kernels Building security properties and checking them in programs automatically

7 Formal Model of the Setuid API Finite State Automaton (FSA) model –States: describing the user IDs of a process –Transitions: describing the semantics of the setuid API calls ruid=1 euid=0 suid=0 ruid=1 euid=1 suid=1 ruid=1 euid=1 suid=0 setuid(1) seteuid(1) seteuid(0) Abstraction 0: root uid 1: a non-root uid

8 Construct the FSA Challenge –Large number of transitions –Manual construction is laborious, error-prone Solution –Automatic construction by a state space explorer: Exhaustively makes all setuid API calls at each state of the FSA Observes the resulting transitions

9 Determine Transitions Automatically by Simulation Idea: Exhaustively make all system calls at each state For each state s=(ruid, euid, suid) where ruid, euid, suid  {0, uid 1, uid 2, …} For each system call c  {setuid(e), seteuid(e), setreuid(r,e), setresuid(r,e,s)} { Make the system call c in the state s Observe the ensuing state s’ Add the transition }

10 Linux FreeBSD FSAs for setuid transitions

11 FSA for setresuid in Linux

12 Benefits of Using Formal Model Correctness –Intuition: the transitions in the FSA are observed from running programs Efficiency –The FSA is constructed automatically by the explorer Portability: the explorer is portable to –Different Unix systems –Different versions of kernels Lots of applications!

13 Applications ： Find Documentation Errors Incomplete man page –setuid(2) in Redhat Linux 7.2: fails to mention the Linux capabilities which affect how setuid() behaves Wrong man pages –FreeBSD 4.4 Unprivileged users may change the ruid to the euid and vice versa –Redhat Linux 7.2 The setgid function checks the egid of the caller and if it is the superuser, … suid euid

14 Applications : Detect Inconsistencies in OS Kernel File system uid (fsuid) in Linux –Is used for filesystem permission checking –Normally follows euid An invariant in Linux ( kernel/sys.c ) –fsuid is 0 only if at least one of ruid, euid, suid is 0 Security motivation –Root privilege in fsuid is automatically dropped when it is dropped from ruid, euid, suid –Ensures that an fsuid-unware application can safely drop root privilege in fsuid

15 Applications : Detect Inconsistencies in OS Kernel (contd.) A bug in Linux kernels <= breaks the invariant –The invariant is satisfied in setuid(), seteuid(), setreuid() –But it is broken in setresuid() – fsuid = 0 and ruid != 0, euid != 0, suid != 0 is reachable (figure2) The bug has been confirmed by Linux community

16 Check Proper Usage of the Setuid API in Programs Questions –Can a setuid API call fail in this program? –Can this program fail to drop privilege? –Which part of this program run with privilege? Approach –Model checking security properties in programs using the FSA of the setuid API Results –Found known setuid bugs in sendmail and

17 A Vulnerability in Sendmail Due to A Misuse of setuid.

18 General Guidelines (1) Selecting an Appropriate System Call setresuid has a clear semantics and is able to set each user ID individually, it should always be used if available. Otherwise, to set only the effective uid, seteuid(new euid) should be used; to set all three user IDs, setreuid(new uid, new uid) should be used. setuid should be avoided because its overloaded semantics and inconsistent implementation in different Unix systems may cause confusion and security vulnerabilities for the unwary programmer.

19 General Guidelines (2) Obey the proper order of API calls –Drop group privileges before user privileges

20 General Guidelines (3) Verifying Proper Execution of System Calls Checking Return Codes Verifying User IDs Verifying Failures

21 An Improved API for Privilege Management – The API contains three functions: Drop_priv_temp(new uid): Drop privilege temporarily. Move the privileged user ID from the effective uid to the saved uid. Assign new uid to the effective uid. Drop_priv_perm(new uid): Drop privilege permanently. Restore_priv: Restore privilege. –Beneficial properties It does not affect the real uid. It guarantees that all transitions in Figure 13 succeed. It verifies that the user IDs are as expected after each uid-setting system call.

22 Conclusion Identified the precise semantics –Use an FSA model –Built the model automatically by state space exploration Formal models revealed pitfalls and bugs –Discovered semantic pitfalls –Found new documentation errors –Detected the fsuid bug in the Linux kernel –Verified the proper use of setuid API in some programs （ sendmail and ） Proposed guidelines for the setuid API