DOCSLIB.ORG

Temporal System Call Specialization for Attack Surface Reduction

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Temporal System Call Specialization for Attack Surface Reduction Temporal System Call Specialization for Attack Surface Reduction Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis, Stony Brook University https://www.usenix.org/conference/usenixsecurity20/presentation/ghavamnia This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Temporal System Call Specialization for Attack Surface Reduction Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, Michalis Polychronakis Stony Brook University Abstract during the lifetime of the program. This is especially true for Attack surface reduction through the removal of unnecessary server applications, which once launched, remain running and application features and code is a promising technique for serving requests for a long period of time. This means that improving security without incurring any additional overhead. all kernel capabilities (i.e., system calls) remain available to Recent software debloating techniques consider an applica- a potentially vulnerable process, and can thus be used as part tion’s entire lifetime when extracting its code requirements, of exploitation attempts. and reduce the attack surface accordingly. Software debloating and specialization has recently gained In this paper, we present temporal specialization, a novel popularity as a technique for removing or constraining un- approach for limiting the set of system calls available to a used parts of applications, with the goal of reducing the process depending on its phase of execution. Our approach code and features available to attackers. While some ap- is tailored to server applications, which exhibit distinct ini- proaches use static analysis to identify unused parts of shared tialization and serving phases with different system call re- libraries [12,51], others rely on dynamic analysis and train- quirements. We present novel static analysis techniques for ing to identify unneeded parts of the application [13, 21,48]. improving the precision of extracting the application’s call Similar techniques have also been applied on containers to graph for each execution phase, which is then used to pinpoint constrain the set of system calls available to the hosted pro- the system calls used in each phase. We show that require- grams [22, 38, 59]. A key shared characteristic of the above ments change throughout the lifetime of servers, and many approaches is that they consider the entire lifetime of a pro- dangerous system calls (such as execve) can be disabled gram as part of the scope of their analysis. after the completion of the initialization phase. We have im- In this paper, we explore software specialization from a plemented a prototype of temporal specialization on top of the different perspective, and present temporal system call spe- LLVM compiler, and evaluated its effectiveness with six pop- cialization, a novel attack surface reduction approach for lim- ular server applications. Our results show that it disables 51% iting even further the set of system calls that are available more security-critical system calls compared to existing li- to a process, depending on its phase of execution. Instead of brary specialization approaches, while offering the additional treating each application as a single, monolithic entity with benefit of neutralizing 13 more Linux kernel vulnerabilities an unchanging set of requirements, temporal specialization that could lead to privilege escalation. takes into consideration the changes in an application’s re- quirements throughout its execution lifetime. In particular, 1 Introduction we focus on server applications, which typically exhibit two distinct initialization and serving phases. Modern software is complex. Applications typically support Our main motivation is that many dangerous system calls, a wide range of functionalities for different use cases [28,49], such as execve, which are frequently used as part of exploit as evidenced by the existence of multiple features, options, code, are often not removed by existing code debloating and and configuration settings. To support these different features, specialization techniques, because they are required by the programs typically require access to a vast range of privileged application for legitimate purposes. Crucially, however, oper- operations from the OS kernel (e.g., allocating memory, creat- ations such as spawning new processes or creating listening ing new processes, and accessing files or the network), which sockets are typically only performed during the very first are made available through the system call interface. moments of a server’s lifetime—the initialization phase. Tem- Some of these capabilities, however, are used by the ap- poral specialization automatically derives the set of system plication only once during startup, and are never used again calls required by each execution phase, and restricts the set of USENIX Association 29th USENIX Security Symposium 1749 available system calls once the server enters its stable serv- 2 Background and Motivation ing phase. This significantly reduces the set of system calls available to an attacker. User-space applications rely on the system call API to inter- A crucial requirement for pinpointing the system calls act with the OS. The Linux kernel v4.15 used in this work required in each phase is to construct a sound and precise provides 333 system calls, while its latest version 5.6 (as of call graph. As most server applications are developed using June 2020) provides 349. Applications, however, typically C/C++, which support indirect function invocations, we must rely only on a subset of these system calls for their opera- rely on static code analysis to resolve the possible targets tion. Moreover, their requirements change according to the of indirect call sites. Unfortunately, the state-of-the-art im- phase of execution, e.g., whether the application is being ini- plementations of points-to analysis algorithms suffer from tialized or serving requests. From a security perspective, this severe imprecision and overapproximation, which eventually overabundance of system calls allows an attacker to i) use results in the inclusion of many spurious system calls that the additional system calls to carry out malicious operations are not actually used. To address this challenge, we propose as part of exploiting a vulnerability, and ii) exploit underly- two pruning mechanisms that remove spurious edges from ing kernel vulnerabilities triggered through system calls and the derived call graph, significantly improving its precision achieve privilege escalation [22, 31, 32]. while retaining its soundness. After identifying the system calls needed in each phase, we use Seccomp BPF to block any system calls that are not needed anymore after the completion 2.1 Static vs. Temporal API Specialization of the initialization phase, thereby removing them from the Previous works in attack surface reduction [21, 26, 34, 48, 50] process’ attack surface. consider the entire application lifetime, and remove function- We implemented a prototype of temporal specialization ality that will never be used at any point. When considering for Linux on top of LLVM, and evaluated it with six popular the execution phases of typical server applications, however, applications (Nginx, Apache Httpd, Lighttpd, Bind, Mem- we observe that further specialization can be achieved. cached, and Redis). We show that many dangerous system In particular, servers typically start handling client requests calls, such as execve, can be disabled after the application after performing a series of one-time operations for setting up enters its serving phase, i.e., when the server application starts the process. This initialization phase mainly consists of op- handling client requests and becomes susceptible to attacks. erations such as parsing configuration files, binding network Our results show that temporal specialization disables 51% ports, and forking worker processes. After the completion more security-critical system calls compared to existing li- of these tasks, the server enters its main long-term serving brary specialization approaches [12, 51], while in many cases phase for handling client requests. In this stable state, the it does not leave room for evasion using alternative system server typically performs operations such as reading from and call combinations. As an added benefit, 53 Linux kernel vul- writing to sockets or files, managing memory, and allocating nerabilities are neutralized by removing system calls which tasks to the worker processes. Nginx [7] is an example of a serve as entry points for triggering them, 13 of which are not server which exhibits this behavior. Depending on whether it preventable by library specialization. is started in “single-process” or “multi-process” mode, Nginx Our work makes the following main contributions: either executes the function ngx_single_process_cycle, or forks the configured number of worker processes, each 1. We propose a novel temporal system call specialization of which invokes the function ngx_worker_process_cycle. approach that considers the different operational charac- Both functions mark the beginning of the serving phase by teristics of server applications throughout their different entering an infinite loop that processes client requests. execution phases. The operations performed in these two phases are distinc- 2. We present type-based
Load more

Recommended publications
  • A Practical UNIX Capability System
    A Practical UNIX Capability System Adam Langley <[email protected]> 22nd June 2005 ii Abstract This report seeks to document the development of a capability security system based on a Linux kernel and to follow through the implications of such a system. After defining terms, several other capability systems are discussed and found to be excellent, but to have too high a barrier to entry. This motivates the development of the above system. The capability system decomposes traditionally monolithic applications into a number of communicating actors, each of which is a separate process. Actors may only communicate using the capabilities given to them and so the impact of a vulnerability in a given actor can be reasoned about. This design pattern is demonstrated to be advantageous in terms of security, comprehensibility and mod- ularity and with an acceptable performance penality. From this, following through a few of the further avenues which present themselves is the two hours traffic of our stage. Acknowledgments I would like to thank my supervisor, Dr Kelly, for all the time he has put into cajoling and persuading me that the rest of the world might have a trick or two worth learning. Also, I’d like to thank Bryce Wilcox-O’Hearn for introducing me to capabilities many years ago. Contents 1 Introduction 1 2 Terms 3 2.1 POSIX ‘Capabilities’ . 3 2.2 Password Capabilities . 4 3 Motivations 7 3.1 Ambient Authority . 7 3.2 Confused Deputy . 8 3.3 Pervasive Testing . 8 3.4 Clear Auditing of Vulnerabilities . 9 3.5 Easy Configurability .
    [Show full text]
  • Reducing Power Consumption in Mobile Devices by Using a Kernel
    IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. Z, NO. B, AUGUST 2017 1 Reducing Event Latency and Power Consumption in Mobile Devices by Using a Kernel-Level Display Server Stephen Marz, Member, IEEE and Brad Vander Zanden and Wei Gao, Member, IEEE E-mail: [email protected], [email protected], [email protected] Abstract—Mobile devices differ from desktop computers in that they have a limited power source, a battery, and they tend to spend more CPU time on the graphical user interface (GUI). These two facts force us to consider different software approaches in the mobile device kernel that can conserve battery life and reduce latency, which is the duration of time between the inception of an event and the reaction to the event. One area to consider is a software package called the display server. The display server is middleware that handles all GUI activities between an application and the operating system, such as event handling and drawing to the screen. In both desktop and mobile devices, the display server is located in the application layer. However, the kernel layer contains most of the information needed for handling events and drawing graphics, which forces the application-level display server to make a series of system calls in order to coordinate events and to draw graphics. These calls interrupt the CPU which can increase both latency and power consumption, and also require the kernel to maintain event queues that duplicate event queues in the display server. A further drawback of placing the display server in the application layer is that the display server contains most of the information required to efficiently schedule the application and this information is not communicated to existing kernels, meaning that GUI-oriented applications are scheduled less efficiently than they might be, which further increases power consumption.
    [Show full text]
  • A Multiplatform Pseudo Terminal
    A Multi-Platform Pseudo Terminal API Project Report Submitted in Partial Fulfillment for the Masters' Degree in Computer Science By Qutaiba Mahmoud Supervised By Dr. Clinton Jeffery ABSTRACT This project is the construction of a pseudo-terminal API, which will provide a pseudo-terminal interface access to interactive programs. The API is aimed at developing an extension to the Unicon language to allow Unicon programs to easily utilize applications that require user interaction via a terminal. A pseudo-terminal is a pair of virtual devices that provide a bidirectional communication channel. This project was constructed to enable an enhancement to a collaborative virtual environment, because it will allow external tools such to be utilized within the same environment. In general the purpose of this API is to allow the UNICON runtime system to act as the user via the terminal which is provided by the API, the terminal is in turn connected to a client process such as a compiler, debugger, or an editor. It can also be viewed as a way for the UNICON environment to control and customize the input and output of external programs. Table of Contents: 1. Introduction 1.1 Pseudo Terminals 1.2 Other Terminals 1.3 Relation To Other Pseudo Terminal Applications. 2. Methodology 2.1 Pseudo Terminal API Function Description 3. Results 3.1 UNIX Implementation 3.2 Windows Implementation 4. Conclusion 5. Recommendations 6. References Acknowledgments I would like to thank my advisor, Dr. Clinton Jeffery, for his support, patience and understanding. Dr. Jeffery has always been prompt in delivering and sharing his knowledge and in providing his assistance.
    [Show full text]
  • Onload User Guide
    Onload User Guide Copyright © 2017 SOLARFLARE Communications, Inc. All rights reserved. The software and hardware as applicable (the “Product”) described in this document, and this document, are protected by copyright laws, patents and other intellectual property laws and international treaties. The Product described in this document is provided pursuant to a license agreement, evaluation agreement and/or non‐disclosure agreement. The Product may be used only in accordance with the terms of such agreement. The software as applicable may be copied only in accordance with the terms of such agreement. Onload is licensed under the GNU General Public License (Version 2, June 1991). See the LICENSE file in the distribution for details. The Onload Extensions Stub Library is Copyright licensed under the BSD 2‐Clause License. Onload contains algorithms and uses hardware interface techniques which are subject to Solarflare Communications Inc patent applications. Parties interested in licensing Solarflare's IP are encouraged to contact Solarflare's Intellectual Property Licensing Group at: Director of Intellectual Property Licensing Intellectual Property Licensing Group Solarflare Communications Inc, 7505 Irvine Center Drive Suite 100 Irvine, California 92618 You will not disclose to a third party the results of any performance tests carried out using Onload or EnterpriseOnload without the prior written consent of Solarflare. The furnishing of this document to you does not give you any rights or licenses, express or implied, by estoppel or otherwise, with respect to any such Product, or any copyrights, patents or other intellectual property rights covering such Product, and this document does not contain or represent any commitment of any kind on the part of SOLARFLARE Communications, Inc.
    [Show full text]
  • Programmer's Guide
    Programmer’s Guide Release 18.11.11 Jan 20, 2021 CONTENTS 1 Introduction 1 1.1 Documentation Roadmap...............................1 1.2 Related Publications..................................2 2 Overview 3 2.1 Development Environment..............................3 2.2 Environment Abstraction Layer............................4 2.3 Core Components...................................4 2.3.1 Ring Manager (librte_ring)..........................4 2.3.2 Memory Pool Manager (librte_mempool)..................4 2.3.3 Network Packet Buffer Management (librte_mbuf).............6 2.3.4 Timer Manager (librte_timer)........................6 2.4 Ethernet* Poll Mode Driver Architecture.......................6 2.5 Packet Forwarding Algorithm Support........................6 2.6 librte_net........................................6 3 Environment Abstraction Layer7 3.1 EAL in a Linux-userland Execution Environment..................7 3.1.1 Initialization and Core Launching......................8 3.1.2 Shutdown and Cleanup...........................8 3.1.3 Multi-process Support............................8 3.1.4 Memory Mapping Discovery and Memory Reservation..........8 3.1.5 Support for Externally Allocated Memory.................. 11 3.1.6 Per-lcore and Shared Variables....................... 12 3.1.7 Logs...................................... 12 3.1.8 CPU Feature Identification.......................... 12 3.1.9 User Space Interrupt Event......................... 13 3.1.10 Blacklisting.................................. 14 3.1.11 Misc Functions...............................
    [Show full text]
  • Efficient Parallel I/O on Multi-Core Architectures
    Lecture series title/ lecture title Efficient parallel I/O on multi-core architectures Adrien Devresse CERN IT-SDC-ID Thematic CERN School of Computing 2014 1 Author(s) names – Affiliation Lecture series title/ lecture title How to make I/O bound application scale with multi-core ? What is an IO bound application ? → A server application → A job that accesses big number of files → An application that uses intensively network 2 Author(s) names – Affiliation Lecture series title/ lecture title Stupid example: Simple server monothreaded // create socket socket_desc = socket(AF_INET , SOCK_STREAM , 0); // bind the socket bind(socket_desc,(struct sockaddr *)&server , sizeof(server)); listen(socket_desc , 100); //accept connection from an incoming client while(1){ // declarations client_sock = accept(socket_desc, (struct sockaddr *)&client, &c); //Receive a message from client while( (read_size = recv(client_sock , client_message , 2000 , 0)) > 0{ // Wonderful, we have a client, do some useful work std::string msg("hello bob"); write(client_sock, msg.c_str(), msg.size()); } } 3 Author(s) names – Affiliation Lecture series title/ lecture title Stupid example: Let's make it parallel ! int main(int argc, char** argv){ // creat socket void do_work(int socket){ socket_desc = socket(AF_INET , SOCK_STREAM , 0); //Receive a message while( (read_size = // bind the socket recv(client_sock , bind(socket_desc, server , sizeof(server)); client_message , 2000 , 0)) > 0{ listen(socket_desc , 100); // Wonderful, we have a client // useful works //accept connection
    [Show full text]
  • A Linux Kernel Scheduler Extension for Multi-Core Systems
    A Linux Kernel Scheduler Extension For Multi-Core Systems Aleix Roca Nonell Master in Innovation and Research in Informatics (MIRI) specialized in High Performance Computing (HPC) Facultat d’informàtica de Barcelona (FIB) Universitat Politècnica de Catalunya Supervisor: Vicenç Beltran Querol Cosupervisor: Eduard Ayguadé Parra Presentation date: 25 October 2017 Abstract The Linux Kernel OS is a black box from the user-space point of view. In most cases, this is not a problem. However, for parallel high performance computing applications it can be a limitation. Such applications usually execute on top of a runtime system, itself executing on top of a general purpose kernel. Current runtime systems take care of getting the most of each system core by distributing work among the multiple CPUs of a machine but they are not aware of when one of their threads perform blocking calls (e.g. I/O operations). When such a blocking call happens, the processing core is stalled, leading to performance loss. In this thesis, it is presented the proof-of-concept of a Linux kernel extension denoted User Monitored Threads (UMT). The extension allows a user-space application to be notified of the blocking and unblocking of its threads, making it possible for a core to execute another worker thread while the other is blocked. An existing runtime system (namely Nanos6) is adapted, so that it takes advantage of the kernel extension. The whole prototype is tested on a synthetic benchmarks and an industry mock-up application. The analysis of the results shows, on the tested hardware and the appropriate conditions, a significant speedup improvement.
    [Show full text]
  • Linux Kernel Development 3Rd Edition
    ptg Linux Kernel Development Third Edition ptg From the Library of Wow! eBook Developer’s Library ESSENTIAL REFERENCES FOR PROGRAMMING PROFESSIONALS Developer’s Library books are designed to provide practicing programmers with unique, high-quality references and tutorials on the programming languages and technologies they use in their daily work. All books in the Developer’s Library are written by expert technology practitioners who are especially skilled at organizing and presenting information in a way that’s useful for other programmers. Key titles include some of the best, most widely acclaimed books within their topic areas: PHP & MySQL Web Development Python Essential Reference Luke Welling & Laura Thomson David Beazley ISBN 978-0-672-32916-6 ISBN-13: 978-0-672-32978-6 MySQL Programming in Objective-C 2.0 ptg Paul DuBois Stephen G. Kochan ISBN-13: 978-0-672-32938-8 ISBN-13: 978-0-321-56615-7 Linux Kernel Development PostgreSQL Robert Love Korry Douglas ISBN-13: 978-0-672-32946-3 ISBN-13: 978-0-672-33015-5 Developer’s Library books are available at most retail and online bookstores, as well as by subscription from Safari Books Online at safari.informit.com Developer’s Library informit.com/devlibrary From the Library of Wow! eBook Linux Kernel Development ptg Third Edition Robert Love Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City From the Library of Wow! eBook Linux Kernel Development Acquisitions Editor Third Edition Mark Taber Development Copyright © 2010 Pearson Education, Inc.
    [Show full text]
  • Vnios Deployment on KVM January 2019
    Deployment Guide vNIOS deployment on KVM January 2019 TABLE OF CONTENTS Overview .............................................................................................................................................. 3 Introduction ........................................................................................................................................ 3 vNIOS for KVM ................................................................................................................................... 3 vNIOS deployment on KVM ................................................................................................................ 3 Preparing the environment ................................................................................................................. 3 Installing KVM and Bridge utilities ...................................................................................................... 3 Creating various types networks ........................................................................................................ 5 Downloading vNIOS QCOW2 image ................................................................................................. 8 Copying vNIOS qcow2 image .......................................................................................................... 10 Deploying vNIOS with Bridge Networking........................................................................................ 11 Deploying vNIOS through xml file with Bridge Networking .............................................................
    [Show full text]
  • ODROID-HC2: 3.5” High Powered Storage  February 1, 2018
    ODROID WiFi Access Point: Share Files Via Samba February 1, 2018 How to setup an ODROID with a WiFi access point so that an ODROID’s hard drive can be accessed and modied from another computer. This is primarily aimed at allowing access to images, videos, and log les on the ODROID. ODROID-HC2: 3.5” High powered storage February 1, 2018 The ODROID-HC2 is an aordable mini PC and perfect solution for a network attached storage (NAS) server. This device home cloud-server capabilities centralizes data and enables users to share and stream multimedia les to phones, tablets, and other devices across a network. It is an ideal tool for many use Using SquashFS As A Read-Only Root File System February 1, 2018 This guide describes the usage of SquashFS PiFace: Control and Display 2 February 1, 2018 For those who have the PiFace Control and Display 2, and want to make it compatible with the ODROID-C2 Android Gaming: Data Wing, Space Frontier, and Retro Shooting – Pixel Space Shooter February 1, 2018 Variations on a theme! Race, blast into space, and blast things into pieces that are racing towards us. The fun doesn’t need to stop when you take a break from your projects. Our monthly pick on Android games. Linux Gaming: Saturn Games – Part 1 February 1, 2018 I think it’s time we go into a bit more detail about Sega Saturn for the ODROID-XU3/XU4 Gaming Console: Running Your Favorite Games On An ODROID-C2 Using Android February 1, 2018 I built a gaming console using an ODROID-C2 running Android 6 Controller Area Network (CAN) Bus: Implementation
    [Show full text]
  • Monitoring File Events
    MONITORING FILE EVENTS Some applications need to be able to monitor files or directories in order to deter- mine whether events have occurred for the monitored objects. For example, a graphical file manager needs to be able to determine when files are added or removed from the directory that is currently being displayed, or a daemon may want to monitor its configuration file in order to know if the file has been changed. Starting with kernel 2.6.13, Linux provides the inotify mechanism, which allows an application to monitor file events. This chapter describes the use of inotify. The inotify mechanism replaces an older mechanism, dnotify, which provided a subset of the functionality of inotify. We describe dnotify briefly at the end of this chapter, focusing on why inotify is better. The inotify and dnotify mechanisms are Linux-specific. (A few other systems provide similar mechanisms. For example, the BSDs provide the kqueue API.) A few libraries provide an API that is more abstract and portable than inotify and dnotify. The use of these libraries may be preferable for some applications. Some of these libraries employ inotify or dnotify, on systems where they are available. Two such libraries are FAM (File Alteration Monitor, http:// oss.sgi.com/projects/fam/) and Gamin (http://www.gnome.org/~veillard/gamin/). 19.1 Overview The key steps in the use of the inotify API are as follows: 1. The application uses inotify_init() to create an inotify instance. This system call returns a file descriptor that is used to refer to the inotify instance in later operations.
    [Show full text]
  • Unbreakable Enterprise Kernel Release Notes for Unbreakable Enterprise Kernel Release 3
    Unbreakable Enterprise Kernel Release Notes for Unbreakable Enterprise Kernel Release 3 E48380-10 June 2020 Oracle Legal Notices Copyright © 2013, 2020, Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]