Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International."— Presentation transcript:

1 1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International

2 2 Objective Understand the semantics of security operation API in OS precisely Applications –Using these system calls properly in programs –Verifying their documentations –Detecting inconsistency in OS kernels –Building security properties and checking them in programs automatically (e.g. by modelchecker)

3 3 What is setuid Access control in Unix is based the User ID model Each process has 3 user Ids: –Real uid (ruid) –Effective uid (euid) –Saved uid (suid) Uid-setting system calls –setuid() seteuid() setreuid() setresuid()

4 4 The setuid Mystery Uid-setting system calls are a semantic mess –Counter-intuitive semantics –Subtle differences among different calls –Incompatible semantics of the same call in different Unix systems (e.g.: Linux, Solaris, FreeBSD) –Incomplete, inaccurate, or even wrong documentation Reason: historical artifacts

5 5 Solution: Formal Model Use a formal model to describe the user ID model Build an FSA where –The states describe the user IDs of a process –The transitions describe the semantics of the uid-setting system calls

6 6 Determine the States of the FSA Each state is a tuple (ruid, euid, suid) The range of user ID values determines the number of states Example: –A process switches between a privileged user ID and an unprivileged ID –2 user IDs: 0(root), x(non-root) –8 states

7 7 Problem: Difficult to Determine Transitions Large number of transitions. E.g. –Range of user ID values: {0, x} where x!=0 –Number of states: 8 –Number of transitions per state: setuid(uid): 2 transitions seteuid(euid): 2 transitions setreuid(ruid, euid): 4 transitions setresuid(ruid, euid, suid): 8 transitions –Total transitions: 8*(2+2+4+8)=128 A laborious, error-prone process

8 8 Determine Transitions Automatically by Simulation Idea: Exhaustively make all system calls at each state For each state s=(ruid, euid, suid) where ruid, euid, suid  {0, uid 1, uid 2, …} For each system call c  {setuid(e), seteuid(e), setreuid(r,e), setresuid(r,e,s)} { Make the system call c in the state s Observe the ensuing state s’ Add the transition }

9 9 FSA for setuid() in FreeBSD

10 10 FSA for setuid() in Linux

11 11 FSA for setreuid() in Linux

12 12 FSA for setresuid() in Linux

13 13 Benefits Correctness: the FSA reflects what programs experience Efficiency: the automatic method is portable to –Different Unix systems –Different kernel versions

14 14 Application: Understanding the semantics of the system calls Find subtle semantic differences –Among different uid-setting system calls –Among the same system call on different Unix systems Find surprising, counter-intuitive semantics

15 15 Application: Verifying Man Pages Incompete man page –Man page for setuid() in Linux fails to mention capabilities which affect how setuid() behaves Wrong man pages –FreeBSD 4.4: Unprivileged users may change the ruid to the euid and vice versa –Redhat Linux 7.2: The setgid function checks if the egid of the caller and if it is the superuser, …

16 16 Application: Detecting Inconsistency in OS Kernel Linux has fsuid –Used for filesystem permission checking –Normally follows euid Invariant in Linux 2.4.18 ( kernel/sys.c ) –fsuid is 0 only if at least one of ruid, euid, suid is 0 Rationale –ensuring that an fsuid-unware cross-platform application can automatically drop root privilege in fsuid by dropping it in ruid, euid, suid

17 17 Application: Detecting Inconsistency in OS Kernel (cont) A bug breaks the invariant: –The invariant is satisfied in setuid(), seteuid(), setreuid() –But it is broken in setresuid() We found the bug using the simulator The bug has been confirmed by Linus and Alan and will be fixed using our patch.

18 18 Application: Checking Proper Usage of Syscalls in Programs Modelchecking security properties in programs –Model a program as a PDA –Intersect the PDA (program) with the FSA of uid-setting system calls to get a new PDA –Check reachability of risky states in the new PDA Can answer questions like: –Can a uid-setting system call fail in this program? –Can this program fail to drop privilege? –Which part of this program run with privilege? Result: Found known bugs in sendmail 8.10.1 and 8.12.0

19 19 Conclusion Formal models are useful in –Understanding the APIs of security operations –Verifying their documentations –Detecting inconsistency in OS kernels –Checking proper usage of security-relevant APIs in programs

Download ppt "1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International."

Similar presentations

TOCTTOU Attacks Don Porter CS 380S

TOCTTOU Attacks Don Porter CS 380S
More on File Management

More on File Management
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 1) history and.

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 1) history and.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Computer Science CSC 405 LabBy Yuzheng Zhou1 CSC 405 Introduction to Computer Security Lab session.

Computer Science CSC 405 LabBy Yuzheng Zhou1 CSC 405 Introduction to Computer Security Lab session.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics.

CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics.
CS252: Systems Programming Ninghui Li Based on Slides by Prof. Gustavo Rodriguez-Rivera Topic 17: Signals, Process Credentials.

CS252: Systems Programming Ninghui Li Based on Slides by Prof. Gustavo Rodriguez-Rivera Topic 17: Signals, Process Credentials.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh.

Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
Chapter 8 Case Study: Solaris Trusted Extensions.

Chapter 8 Case Study: Solaris Trusted Extensions.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Getting Started with Linux Linux System Administration Permissions.

Getting Started with Linux Linux System Administration Permissions.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Reliability of Parallel Build Systems Derrick Coetzee, George Necula UC Berkeley Creative Commons Zero Waiver: To the extent possible under law, the author,

Reliability of Parallel Build Systems Derrick Coetzee, George Necula UC Berkeley Creative Commons Zero Waiver: To the extent possible under law, the author,
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

Similar presentations

Ads by Google