Practical Techniques to Obviate Setuid-to-Root Binaries Operating Systems, Security, Concurrency and Bhushan Jain, Chia-Che Tsai, Jitin John, Donald E. Porter Architecture Research
Setuidbit: Duct Tape of Unix Security Real-World Study System Abstractions for Setuid Binaries 100 Mismatched kernel and system Lintian reports: Interface Used What do we do? 26 Binaries on policies 80 popularity contest mount, umount 3 Whitelisting safe locations and 89% systems of 119 binaries 60 options socket (ping) 5 Firewall rules on raw sockets Trusted setuid-to-root binaries 40 89% 83 Binaries on patch the problem Cred. databases 5 Fragment to per-user or per- 20 <0.89% systems (passwd) group files, w/ DAC granularity.
Opportunities for privilege escalation! Percentage Installation 0 26 ioctl (pppd) 2 LSM hooks to verify new routes 0 10 20 30 40 50 60 70 80 90 100 110 120 Setuid-to-Root Binaries bind (mail) 3 Map low port to (binary, userid) Least Privilege Principle setuid, setgid 7 Delegation Framework: LSM (sudo) hooks to check delegation rules Grant minimal privilege required Protego Approach & recency “ for a given function ” Video driver 1 Kernel Mode Switching: Context Study policy: 1. Why is root needed? control state (X) switches video devices in kernel 26 most popular 2. Simpler alternative in Setuid-root violates least privilege (28 total) kernel? principle Evaluation Goal: Non-admin never raises privilege Example: Linux mount Perf. Overhead: 0 ~ 2.5% in general, < 7.4% worst case mount Functionality: equivalent to Linux Kernel : only root can mount anywhere Protego Trusted Computing Base: System : user can mount at safe root user ― Trusted Services = 1,600 /etc/ locations Privileged ― Kernel = 715 /* Parse /etc/fstab */ fstab /etc/ if (ruid == 0 || Daemon Total Addition to TCB = 2,315 fstab user_mount_ok(args)) /* parse fstab */ sys_mount(args) De-privileged LoC by Protego = 15,047 sys_mount(args); User User Net LoC de-privileged = 12,732 Kernel if (!security_mount_ok Kernel sys_mount() { (args)) if (!capable(CAP_SYS_ADMIN)) Protego return –EPERM; Information and code release: return –EPERM; LSM http://protego.cs.stonybrook.edu