Practical Techniques to Obviate Setuid-To-Root Binaries
Total Page:16
File Type:pdf, Size:1020Kb
Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain, Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1 Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 Root Kernel 2 Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 /* Parse arguments */ sys_mount(args); Root Kernel 3 Setuid-root and Privilege Escalaiton /bin/mount /dev/sda2 /disk1 /* Parse arguments */ sys_mount(args); Root root has all capabilities Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 4 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ sys_mount(args); User user has no capabilities Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 5 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ Setuid to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 6 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /* Parse arguments */ Setuid to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 7 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom iso9660 user,ro 0 0 /* Parse arguments */ Setuid /etc/fstab to Root sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 8 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom iso9660 user,ro 0 0 /* Parse arguments */ Setuid /etc/fstab if(ruid == 0 || to Root user_mount_ok(args)) sys_mount(args); User Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 9 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom iso9660 user,ro 0 0 /* ParseExploit arguments */ Setuid if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd=open(“sys_mount(args);rootkit.ko”) finit_module(fd); User rootkit.ko Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 10 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom iso9660 user,ro 0 0 /* ParseExploit arguments */ Setuid if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd=open(“sys_mount(args);rootkit.ko”) finit_module(fd); User rootkit.ko Kernel sys_mount() { if(!capable(CAP_SYS_ADMIN)) return –EPERM; do_mount(); } 11 Setuid-root and Privilege Escalaiton /bin/mount /dev/cdrom /cdrom /dev/cdrom /cdrom iso9660 user,ro 0 0 /* ParseExploit arguments */ Setuid if(ruid == 0 || to Root /etc/fstab Vulnerability */ user_mount_ok(args)) fd=open(“sys_mount(args);rootkit.ko”) finit_module(fd); User rootkit.ko root has all capabilities Kernel sys_finit_modulesys_mount() { () { if(!capable(CAP_SYS_ADMIN))if(!capable(CAP_SYS_MODULE)) return –EPERM; rootkit.ko return –EPERM; do_mountdo_init_module(); } (); } 12 How is Setuid-Root Used in Practice? 100 80 26 Binaries on 60 89% systems 89% 40 83 Binaries on 20 <0.89% systems 0 Installation Percentage Installation 26 0 10 20 30 40 50 60 70 80 90 100 110 120 Setuid-to-Root Binaries 13 Can we get rid of setuid-to-root? Surprisingly feasible to obviate setuid-root . ~10 underlying privileged abstractions Protego prototype change 715 LoC in kernel . De-privileged 12,732 lines of trusted binary code . < 2% kernel compile time overhead over Linux 3.6.0 . Ongoing investigation of long tail 14 Outline Background Insights and design principles Protego overview and examples Evaluation 15 Linux Capabilities Linux file POSIX capabilities . Not same as pointers with access control . Divide root privilege into 36 different capabilities Enforce least privilege for administrator . Too coarse for untrusted user . Many privileged actions with just CAP_NET_ADMIN Need to think about least privilege for untrusted user 16 Efforts to Mitigate Setuid-Root Risks Ubuntu/Fedora try to limit use of setuid-root . Privilege Bracketing, consolidation, fs permissions . Not able to completely eliminate setuid-root Some binaries have point alternatives SELinux enforces relatively fine-grained security . Still too liberal for least privilege of user . SELinux introduces substantial complexity 17 What can we do about setuid-root risk? 18 How do we approach this problem? 100 Studied 28 in detail 80 . Order by popularity 60 40 Study policies in binaries 20 0 0 40 10 20 30 50 60 70 80 90 . Why is root needed? Percentage Installation 100 110 120 . Simpler alternative in kernel? Setuid-to-Root Binaries Goal: Non-admin never raises privilege 19 Setuid-Root: Unix Security Duct Tape Kernel policy mismatch with system policy . Kernel : only root can mount anywhere . System : any user can mount at safe locations Point solutions used as duct tape . Setuid binary mount bridges the gap Generally setuid patches kernel and system policies 20 Interface Designs can Thwart Least Privilege Interface design choice may need more privilege dmcrypt-get-device use privileged ioctl . Reports physical device under encrypted device . Also discloses the private key . Can get same info from /sys without privilege . Maintainers agreed to use /sys interface. Sometimes setuid indicates programmer error 21 Protego Design No need for trusted apps to enforce system policy . Inform kernel about system policy . Enforce system policy using Linux Security Module . Policies orthogonal to AppArmor, SELinux, etc. Object-based policies for unprivileged users Adjust the interfaces that need more privilege Maintain backwards compatibility for user 22 System Abstractions for Setuid Binaries Privileged Interface Used by What do we do? mount, umount 3 Whitelist safe locations and options socket (ping) 5 Apply firewall rules on raw sockets Credential databases (passwd) 5 Fragment to per-user or pergroup files, matching DAC granularity. ioctl (pppd) 2 Add LSM hooks to verify new routes bind (mail) 3 Map low port to (binary, userid) pair setuid, setgid (sudo) 7 Delegation Framework: LSM hooks to check delegation rules & recency Video driver control state (X) 1 Kernel Mode Switching: Context switches video devices in the kernel /dev/pts* terminal slaves (pt_chown) 1 Deprecated since kernel 2.1 Host private ssh key (ssh-keysign) 1 Restrict file access to specific binaries A few abstractions, many binaries 23 Example 1: Protego mount Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 24 Example 1: Protego mount /etc/fstab Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 25 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 /etc/fstab Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 26 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 /etc/fstab Privileged Daemon /*Parse /etc/fstab*/ Root Kernel Protego LSM This technique works for 3/28 setuid-root binaries 27 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 /etc/fstab Privileged Daemon /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 28 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 Unprivileged user /etc/fstab Privileged Daemon /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 29 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 Unprivileged user /etc/fstab Privileged Daemon mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 30 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 Unprivileged user /etc/fstab Privileged Daemon mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root Kernel /proc/ mnt_policy Protego LSM This technique works for 3/28 setuid-root binaries 31 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 Unprivileged user /etc/fstab Privileged Daemon mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root sys_mount() { Kernel if(!security_mount_ok(args)) /proc/ return -EPERM; mnt_policy do_mount(args); Protego LSM } This technique works for 3/28 setuid-root binaries 32 Example 1: Protego mount /dev/cdrom /cdrom iso9660 user,ro 0 0 Unprivileged user /etc/fstab Privileged Daemon mount /dev/cdrom /cdrom /*Parse /etc/fstab*/ sys_mount(args); Root sys_mount() { Kernel if(!security_mount_ok(args)) /proc/ return -EPERM; mnt_policy do_mount(args); Protego LSM } This technique works for 3/28 setuid-root binaries 33 Underlying Problem with Setuid-bit Setuid bit is user/subject-based mechanism . “Does the user have privilege to take this action?” . E.g., Who can mount a device? Object-based security policies are better fit . “Can any user take an action on this object?” . E.g., Which device can be safely mounted and where? 34 Example 2: Linux ping Raw socket : unimplemented protocols in kernel TCP/UDP packets can be faked by raw sockets . Appear from socket owned by another process Kernel : CAP_NET_RAW to create raw socket System : Allow sending safe packets on raw socket . ping uses raw sockets for ICMP packets 35 Example 2: Protego ping Allow raw socket creation for all users Whitelist set of all safe packets on raw sockets . Use packet filtering framework (netfilter/BPF) . Limit raw socket protocol and message types For ping, allow ICMP echo request and reply This technique works for 5/28 setuid-root binaries 36 Example 3: Linux