1. Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks Massimo Bernaschi Emanuele Gabrielli Luigi V. Mancini

2. Outline Introduction Problem analysis The Access Control Database The reference functions Performance Conclusion

3. Introduction Approach Require minimal additions to the kernel code Neither changes to the syntax and semantics Neither modifications of existing kernel data structures and algorithm No change in source code No special compiling procedure is required

4. Introduction (Cont.) Access Control Database (ACD) To reduce the cost of the checks A detailed analysis of privileged applications and system calls is carried out. Buffer Overflow Execute fake instruction Protection against buffer overflow

5. Problem analysis Privileged Process System calls analysis

6. Privileged processes Interactive Real user identifer ( UID ) Effective user identifer ( EUID ) System Administrator = ( both UID and EUID == 0 ) Prevent privileged process from migrating to this category

7. Privileged processes ( Cont. ) Background Like daemon or cron daemon !((proc)->euid) && ((proc)->tty==NULL) First check if euid == 0 Second check if tty == NULL, because daemon need not control terminal Block any attempt made by there processes to re-acquire a control terminal

8. Privileged processes ( Cont. ) Setuid The effective UID of the process is set equal to the UID of the program file owner !((proc)->euid)&&(proc)->uid A process can be identified as setuid to root ( EUID == 0 )

9. System calls analysis

10. System calls analysis ( Cont. )

12. The Access Control Database

14. execve_acd is composed by two array of eflst_t structures: admitted: 只有列在此 list 中的特權程式才可 被執行 failure:keeps a log of unauthorized attempts of invoking execve by any setuid process.

15. The Access Control Database

16. Add a new system call sys_setuid_aclm for reading and modifying the information kept in the ACD Through a command aclmng to manage information kept in the ACD -l list the contents of ACD kept in kernel space -L load in kernel space the ACD from file -w writes the ACD from kernel space into file default with no options, -l is assumed

17. The reference functions execve setuid chmod

18. Execve

19. Execve ( Cont. ) check_rootproc() return EXENA or EFNA EXENA: 表示這個行程中所執行的程式並沒 有列在 ACD 當中 EFNA: 表示檔案無法通過 ACD 的認證, 如檔 案修改日期時間沒有符合

20. Check_rootproc()

21. Setuid If setuid(0), then enforce to type correct root password kept in ACD If no match, invocation is denial

22. chmod chmod +s – p /program1 /program2 foo Allows the setuid program foo to execute program1 and program2. Check filename is kept in ACD

23. Performance Pentium II 128MB Ram Linux Kernel 2.2.12 Repeat 40 times Sendmail Lpr Rsync X server

24. Performance ( Cont )

25. Conclusion 優點 多一層防護, 比較安全 Kernel 做, 執行速度佳 缺點 更改 kernel, 但是 kernel 的版本會一直改變 機制不夠健全 ( 感覺上, 未實際去想例子 )