System Call Authorization in Linux by a Secure Daemon
Total Page:16
File Type:pdf, Size:1020Kb
VOL. 12, NO. 12, JUNE 2017 ISSN 1819-6608 ARPN Journal of Engineering and Applied Sciences ©2006-2017 Asian Research Publishing Network (ARPN). All rights reserved. www.arpnjournals.com SYSTEM CALL AUTHORIZATION IN LINUX BY A SECURE DAEMON Vivek Radhakrishnan, Hari Narayanan and Shiju Sathyadevan Amrita Center for Cybersecurity Systems and Networks Amrita School of Engineering, Amritapuri Amrita Vishwa Vidyapeetham Amrita University, India E-Mail: [email protected] ABSTRACT Compromises on data integrity and confidentiality have exposed the vulnerability of security architectures of traditional Linux-based operating systems against malicious attacks. Minimized functionality and increased complexity restrict the effectiveness of traditional approaches such as sandboxing in handling attacks. We proposed architecture based on restricted user privileges and authorization to secure the Linux operating system. We developed a Secure Daemon to authorize the system calls. All the system calls invoked by user processes are redirected to secure daemon using a dynamic dispatch mechanism (wrapper functions) implemented on top of the existing libraries. Our approach ensures that critical system resources are protected in the event of an attack. Since the major elements of the proposed system operate at the user level, it is portable across all Linux distributions. Keywords: linux, authorization, system calls, secure daemon, wrapper functions, dynamic dispatch mechanism. INTRODUCTION environment or in a sandbox. So even if the application is All the operating systems employ some kind of malware affected it can do the least amount of damage as access control mechanisms. Authentication and it is running in a sandbox. This work is a continuation of authorization are two very important steps in an access our previous work [1]. We have come up with a modular control mechanism. Authentication is the process of design in which the entire architecture is broken down into verifying or validating the identity provided by a person or modules for the sake of implementation. We have partially an entity. Access control involves access policy definition implemented few modules. and access policy enforcement. Policy definition is the Usually, a process does not make system calls specification of access rules which is also called directly. It uses some API library like glibC and invokes authorization. The next step is the policy enforcement the API with the same name as the system call. The APIs which happens when an access request is actually in libC are wrapper functions to system calls. They hide received. A decision is taken whether to grant or deny the the lower level complexities from the user processes by access. providing high-level simple interfaces. There will be In traditional Linux operating systems, assembly code in these wrapper functions which causes an discretionary access control (DAC) mechanism is used. interrupt and context switch from user mode to kernel DAC uses identity-based authorization. A process can be mode. Before that, the system call number is placed in identified by its userid and the groupid. When a process process registers and parameters are placed in kernel tries to access a system resource, the kernel verifies its CALL stack. In the kernel, authorization is done and the effective userid and the effective groupid and matches it actual system call is invoked by the system call handler. with the resource permissions. If permission is matching, a We have implemented another wrapper function resource handle is returned to the process. The process can to the glibC API, which by itself is a wrapper for the perform its intended operation on the resource using this system calls. When the process invokes the glibC API, our resource handle. If permissions do not match, the process wrapper function is executed. In the normal mode, the is denied access and an error code is returned instead of actual API is executed as in the traditional Linux. In the the resource handle. If a process runs on behalf of a user, it secure mode, the parameters of the APIs are transferred to gets all the privileges of the user; in other words, the a Secure Daemon via Unix Domain Socket which does an process gets the ambient authority. If a user downloads a additional authorization on top of the existing malware affected application from the internet and authorization using the effective userid and the effective executes it, the application runs with the ambient groupid of the process. The resource handle is returned authority. This is a dangerous situation. The application back to the wrapper function by the Secure Daemon which has the potential to cause significant damages to the in turn returns it to the original user process. Also, we system. have analyzed our system to show that the latency incurred We have developed a new security architecture is very small. which builds a security ticket based authorization on top of The remainder of this paper is organized as given the existing identity-based authorization. This architecture below. Section II describes the design. Section III ensures that the application or the process has the exact describes the implementation. Section IV presents the privileges just enough to perform its intended tasks. This analysis and result. Section V presents our conclusion and effectively puts the application into a restricted section VI describes the related work. 3903 VOL. 12, NO. 12, JUNE 2017 ISSN 1819-6608 ARPN Journal of Engineering and Applied Sciences ©2006-2017 Asian Research Publishing Network (ARPN). All rights reserved. www.arpnjournals.com Figure-1. Top down modular design of the security architecture. DESIGN parameters to the Secd for authorization if the process is in The proposed secure Linux architecture [1] is the secure mode. In the normal mode, the wrapper broken down into several modules in a top-down fashion function invokes the original system call itself directly. for the sake of implementation. Each module is modifiable Wrapper function implementation is in progress for the without affecting the other modules. The major modules other critical system calls like socket create, socket bind, are SecLib, Secd, Modified LibC, Modified kernel, file create etc. Sandbox Tool and Sandboxed terminal as shown in the Figure-1. The shaded boxes at the bottom of the Figure-1 Modified kernel represent modules which are already implemented. The Linux kernel is modified by adding new Implementation of the unshaded boxes is in progress. system call which switches a process from normal mode to the secure mode. Also, we need another system call to SecLib query the current mode of the process which invoked the Authorization in our security architecture is based glibC API. on Security Tickets. When a process issues a system call, it should be accompanied by the Security Ticket. Secd will Sandbox tool verify the Security Ticket for authorizing the system call. This module reads the Security Descriptor File of SecLib is a library which contains procedures to create, a process and creates a sandboxed child with the privileges delete and refine Security Tickets. Also, it contains specified in the descriptor file. procedures to authorize resource requests. Sandboxed terminal SecD This is a shell interface for the user to execute Secd is a security daemon which always runs on programs. Sandboxed Terminal uses Sandbox Tool startup. It has a unique userid and groupid for its internally. protection. All the critical system calls are rerouted to Secd for authorization. We have implemented the IMPLEMENTATION authorization of open system call which opens a file from The proposed architecture [1] for securing Linux the hard disk. When a process invokes open or fopen API, is shown in Figure-2. When the system is booted, the it will be rerouted to the Secd for authorization via Unix secure daemon (Secd) automatically gets invoked in the domain socket by the modified LibC. Secd will verify the background. The LibC APIs are redirected to the Secd via Security Ticket for authorization. If authorization is Unix domain socket in secure mode, in lieu of being successful, then Secd would open the file and return the converted into a system call. Our system uses a dynamic file descriptor back to the process via Unix domain socket. dispatch mechanism (Wrapper function) at the user level to redirect the system call to a Secure Daemon. Dynamic Modified LibC dispatch mechanism overrides the existingLibC APIs. Our Wrapper functions are written for the glibC APIs current implementation comprises of two main open and fopen which would reroute the system call components: Modified LibC and a Secure Daemon. 3904 VOL. 12, NO. 12, JUNE 2017 ISSN 1819-6608 ARPN Journal of Engineering and Applied Sciences ©2006-2017 Asian Research Publishing Network (ARPN). All rights reserved. www.arpnjournals.com Figure-4. Code snippet of parameter passing via UDS in secure mode. The operation of UDS is similar to that of remote procedure calls. In contrast to other data communication models, UDS is capable of sending file descriptors and process credentials (process id, user id, group id) between processes. Secure daemon As discussed in section II, SecD is responsible for the issue of security tickets and the system call Figure-2. System interface architecture of authorization. It has a unique userid and groupid. When proposed system. Secd receives an open request from the wrapper function, it retrieves the process id, effective user id (EUID) and Modified LibC effective group id (EGID) of the initiated process from the In traditional Linux architecture, when a system UDS and is compared against the file status. If the file call gets invoked, LibC stores the system call name along permissions are matching with the process credentials, with its corresponding arguments in the system register. SecD authorizes the system call and returns the file handle This generates an interrupt which enables the system to to wrapper function via Unix Domain Socket.