Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Improvements in Linux Using Capabilities

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Improvements in Linux Using Capabilities"— Presentation transcript:

1 Security Improvements in Linux Using Capabilities
Gautam Barua Department Of Computer Science & Engg Indian Institute of Technology, Guwahati

2 Outline Posix Capabilities Discretionary Access Control
Set user on execution Mandatory Access Control Linux Security Modules SeLinux Buffer Overflow Attack Posix Capabilities Work at IITG

3 Discretionary Access Control
Owner-administered Mode bits: User, Group, Others Basic Permissions: Read, Write, Execute rwxr_ _ r_ _ owner_id group_id ……. Access Control Lists added in later versions of Unix (and Linux). Can specify particulars users or groups who are given permissions or denied permissions. IIT Guwahati

4 Discretionary Access Control
Setting controls is at the discretion of users. An “owner” is identified with every file Mode bits can be changed by the owner. Distributed control Easy to manage User controls her data Attacks can be catastrophic IIT Guwahati

5 Set uid on execution ls – l /var/bin/ps
r_sr_xr_x root root ……………… ps When user gb executes “ps”, the process executing “ps” gets an effective user id of “root”. So privileges of “root” are available to the program “ps” even though it is gb executing it. IIT Guwahati

6 Set uid on execution But only what “ps” can do as root is allowed to gb. This method of controlled escalation of privileges provides flexibility in managing resources. BUT Mistakes may be made by administrators If write permission is given inadvertently to the file containing “ps” …. IIT Guwahati

7 Set uid on Execution More seriously, there may be a bug in “ps”
This may be exploited by an intruder, and the process running “ps” may be made to execute some malicious code. This malicious code will get root privileges and can therefore wreck havoc. We should give only the necessary privileges to programs like “ps”, not full root privileges. IIT Guwahati

8 Mandatory Access Control
Controls imposed by a central administrator Enforced by the OS kernel User programmes cannot over-ride the controls Complex to implement Restrictive to users Less vulnerable to attacks IIT Guwahati

9 Mandatory Access Control
Linux Security Module (LSM) General kernel framework for implementing security modules Around 200 hooks About 150 are for mediation Others for allocation/freeing, labelling, ad hoc management IIT Guwahati

10 Linux Security Module Add a “security” field to major data structures:
task_struct, inode, sk_buff, net_device, … Type: void *security; Add hooks in kernel critical points To manage the “security” field To perform access control as per defined policies Register/unregister Using register_security()/unregister_security() LSM recognizes only the primary module mod_reg_security enables a second module to stack IIT Guwahati

11 Security Enhanced Linux (SeLinux)
Mandatory Access Control Implementation Uses LSM Fine Grained Control Possible Complex to set up Flexibility is therefore low Critics say chances of misconfiguration high and so vulnerability increases IIT Guwahati

12 Security Enhanced Linux (SeLinux)
Subject (e.g. process) Object (e.g. file) Action (e.g. file read) Subject has a Security Context : User Identifier (few) Role (few) Types (hundreds) IIT Guwahati

13 Buffer Overflow Attack
void func (char *str) { char buffer[16]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; func (large_string); IIT Guwahati

14 Buffer Overflow Attack
Run Time Stack when “func” is called Buffer [0..15] *str Return address Attack Code IIT Guwahati

15 Buffer Overflow Attack
#include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } IIT Guwahati

16 POSIX Capabilities Fine grain control of who can do what
Traditional: all-or-nothing: root can do everything, normal user can do nothing Capabilities: define a set of distinct privileges in the system (if a task has a capability, it is permitted to do a certain task) POSIX 1.e defines a list of capabilities Linux implements 8 from POSIX, and adds 24 Linux-specific (total 32) Not Capabilities as per classical definition IIT Guwahati

17 Capabilities CAP_CHOWN: allow changing file ownership
CAP_SETUID: allow manipulations of UIDs CAP_NET_BIND_SERVICE: allow binding to TCP/UDP port below 1024 CAP_DAC_OVERRIDE: bypass rwx permission checks CAP_SYS_NICE: allow changing nice level CAP_FOWNER: bypass need for uids to match (e.g. chmod) CAP_SYS_PTRACE: allow ptrace() of any process CAP_SYS_CHROOT: allow use of chroot() IIT Guwahati

18 Capabilities CAP_MKNOD: allow creation of special files
CAP_SYS_MODULE: allow loading and unloading of kernel modules CAP_DAC_READ_SEARCH: bypass directory read and execute permission checks CAP_FSETID: don’t clear suid and sgid flags on files when modified. CAP_KILL: bypass permission checks for sending signals CAP_NET_RAW: allow the use of raw sockets IIT Guwahati

19 Capabilities Implementation
32-bit integer Bitmap: 1 bit per capability: 1 means having the corresponding capability , 0 means no Maximum 32 capabilities support in Linux (will increase to 64 bit in coming versions) Operations: cap_raise(c, flag): Include the capability in c cap_lower(c, flag): Remove the capability from c cap_raised(c, flag): c having the capability? IIT Guwahati

20 Capability Set in Processes
Each process has 3 sets of capabilities Permitted set: capabilities the task can use Effective set: capabilities that the task currently chooses to use (so as to lower privileges temporarily) Inheritable set: capabilities that are preserved across an “execve” A child that is forked gets a copy of each of the three sets IIT Guwahati

21 Use Capabilities Kernel can check the capability before doing privileged actions: ... if (!capable(CAP_XXX)) return -EPERM; capable(cap): does this process have the capability? int capable(int cap) { if (cap_raised(current->cap_effective, cap)) return 1; return 0; } IIT Guwahati

22 Capability Example Controlling system call nice() In kernel/sched.c: {
asmlinkage long sys_nice(int increment) { if (increment < 0) { if (!capable(CAP_SYS_NICE)) return -EPERM; IIT Guwahati

23 Giving Capabilities Capabilities are copied from the parent process
But there is a need to provide program specific capabilities, and inheriting from the parent will not give the required functionality. So associate capabilities with executable programs. Store capabilities in files containing executable programs. IIT Guwahati

24 File Capabilities Executable files can have capabilities too
Also have 3 sets: permitted, effective, inheritable Stored as file attributes in file systems Changes the process's capabilities after execve() Capability rules Inheritable set does not change after execve() New permitted set = file permitted set OR (file inheritable set AND process permitted set) New effective set = file effective set AND new permitted set IIT Guwahati

25 File Capability Implementation
Executable file data structure: struct linux_binprm Defined in include/linux/binfmts.h Fields related to capabilities: kernel_cap_t cap_inheritable, cap_permitted, cap_effective; When an executable file is loaded: Fill in linux_binprm from file system and call compute_creds() Example: load ELF file: function load_elf_binary() calls compute_creds() IIT Guwahati

26 File Capability Implementation (Cont.)
File system support has been recently added in the Linux kernel starting from Linux rc2. Uses “extended attributes” feature of ext2 file system to store file capabilities. IIT Guwahati

27 Ongoing Research at IITG
No process should run with euid = 0 Its difficult to figure out required capabilities for a given executable How to convert a running system into one with capabilities Is the available set of capabilities sufficient for an executable? IIT Guwahati

28 (Cont.) Our goal To ease the process of setting caps
tool which sets the required caps by diagnosing the given executable Monitor a server (with caps enabled): Has the tool set the least required caps or not Gather more information to see if there are any areas left uncovered by the Capability System which should get attention. IIT Guwahati

29 (cont.) Diagnostic tool
Checks which system calls are called by the executable In cases where the capabilities check straightaway access to the system call like CAP_CHOWN, CAP_SYS_PTRACE etc., decision is obvious. For cases like CAP_NET_RAW, CAP_NET_BIND_SERVICE etc. dynamic heuristics are required as decision depends on arguments passed IIT Guwahati

30 Questions ??? IIT Guwahati

Download ppt "Security Improvements in Linux Using Capabilities"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Docker Security Rahul Sharma. Our Problem Sandboxing user coding assessments : Compile / Run different languages Allow to extract result Control network.

Docker Security Rahul Sharma. Our Problem Sandboxing user coding assessments : Compile / Run different languages Allow to extract result Control network.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Linux Security Module (LSM) Framework By Hasari Tosun 11/30/2006.

Linux Security Module (LSM) Framework By Hasari Tosun 11/30/2006.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Computer Security An overview of terms and key concepts.

Computer Security An overview of terms and key concepts.
Secure Operating Systems

Secure Operating Systems
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Process in Unix, Linux, and Windows CS-3013 A-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux, and Windows CS-3013 A-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Similar presentations

Ads by Google