A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities

advertisement
A Black-Box Tracing Technique to Identify
Causes of Least-Privilege Incompatibilities
Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang
NDSS 2005, San Diego, California
Feb. 4, 2005
1
The Problem

Principle of Least Privilege
– Software should run only with the privileges necessary
to accomplish the task.

Reality of Windows systems
– Most users run all the time as members of the
Administrators group (a.k.a. Admins,  root in UNIX).
– Security threats increased: compromise of user
application  a system compromise

E.g., buffer overflow in Instant Messenger
– Many Windows applications require admin privileges
when they shouldn’t (least privilege incompatibility, or
LPI).
2
Least Privilege Incompatible Apps

Bob the Builder (a kid’s game)

Window Clock/Calendar
3
Least Privilege Incompatible Apps


RAS, a Virtual
Private Network
(VPN) software
RAZZLE (the build environment for many Microsoft products)
4
Least Privilege Incompatible Apps

TurboTax

Microsoft Greetings

Diablo II. Unable to
detect the Play Disc?

A Microsoft Knowledge Base article reports 188 least-privilege
incompatible applications
5
Project Goal

Develop a tracer…
– To identify the causes of LPIs …
– So that they can be more easily fixed by developers or sysadmins
– Provide enough clues that make a hard problem easy.

Address developer’s challenges
– Impractical to get deep insights to the entire code base of a
commercial software. Should pinpoint failing code.
– Libraries encapsulate system calls invoking security checks. Most
libraries are in binary form. Should identify low level security failures,
not opaque library failures.
– Applications can have many LPIs. Should minimize number of test
runs to fix all of them.

Also helps sysadmins! In many cases, can mitigate LPIs
through harmless system policy changes.
– E.g., change the Access Control List (ACL) of files and registry keys.
6
Windows Security Subsystem


Data structure: token (security context)
Complete Set of Checking Functions in
Security Subsystem
– SID-Compare: Can be used to check “Am I an admin?”
– Access-Check/Reference-Object: Do I have the permissions
to open an object handle / perform operations on an opened
handle?
– Adjust-Privilege/Privilege-Check: Do I have the permissions
to perform this operation not associated with an individual
object (e.g., shutdown the system)?

Why not just monitor at syscall level?
– System call interface is enormous
– Syscalls can be stateful; Security subsystem is stateless
(crucial ingredient in noise filtering).
7
Overview of the Tracing Technique
Start
tracing
Run app
with Admin
privileges
stop
tracing
Start
validation
Run app
without
Admin
privileges
stop
validation
Security Check
Intercept every security check call,
Monitor
and make a subset
Security
Check Monitor
Deliberately
of the whether
determine
it succeeds,
but would
Noise
Filter
and invoked
Noise Filter
logged security checks succeed
fail if awhen
non-admin
it.
(tracing
mode)would fail.
(validation mode)
they normally
• Use statelessness
Security check
event logger
Log of possible
causes of
least-privilege
incompatibilities
8
Evaluations with Real Examples





Goal of evaluation is to demonstrate that…
Tracer makes LPIs easy to understand
Fixing the LPIs becomes substantially easier
Most LPIs are simply bugs
Bottom line: LPI problem is solvable
9
Case 1: Bob The Builder


Third party application. “Unable to perform the operation
because of insufficient privilege.” Which operation? Why
require admin privileges?
Tracing
– 4002 security checks were performed to check against the user
token; 884 checks failed; 899 checks would fail if they were
performed by non-admin users.
– The log contains only 899 – 884 = 15 entries, among which only
5 entries are distinct.
10
Type of
Check
Process
Image
Object Name
Desired
Access
Granted
Access
Max access
for regular
users
ReferenceObject
Automenu
\REGISTRY\HKEY_LOCAL_MACHINE\
SOFTWARE\BBC Multimedia\Bob the
Builder\1.0.0
0x00002
0xf003f
0x020019
AccessCheck
explorer
\Program Files\THQ\Bob the
Builder\StartBTB.exe
0x120189
0x120189
0x1200a9
AccessCheck
explorer
\WINDOWS\explorer.exe
0x120189
0x120189
0x1200a9
AccessCheck
explorer
\WINDOWS\system32\mydocs.dll
0x120189
0x120189
0x1200a9
AccessCheck
explorer
\WINDOWS\system32\shell32.dll
0x120189
0x120189
0x1200a9
Run as non-admin
11
Case 2: RAS (Remote Access Service)




RAS sets up a Virtual Private Network (VPN) to connect to corporate
network.
Least-privilege incompatibility encountered.
The tracer logged 7 entries out of 2566 security checks on the user
token.
The cause (one of the 7 logged entries) hides deep in the call stack. Not
intuitive.
The RAS process
Get_EnumEveryConnection in HNETCFG.dll
(Home Networking Configuration Manager)
Developer’s response:
• RAS needs to migrate existing connections to
the VPN
• The only API for enumerating network
connections is Get_EnumEveryConnection,
privileged .
•Solution: RAS should only migrate the current
user’s connections.
CheckTokenMembership in ADVAPI32.dll
Access-Check in kernel
12
Case 3: Microsoft Greetings

12618 checks performed for user permissions.
37 entries in the log.

Encountered 5 LPIs along the code path.
– 1 due to SID-Compare
– 1 due to \Program Files\Microsoft Picture
It! PhotoPub\pidocob.dll
– 3 due to
\REGISTRY\HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Picture It!\*

Strength of the tracing technique: logging all
causes requires only one test run.
13
Increasingly Obscure Error Messages
Remove the first LPI
Remove the second LPI
Remove the other 3 LPIs
14
Case 4: Diablo II



1573 checks on the user token. 3 entries in the log.
Misleading error message (as if there was no disc in
the CD drive)
Only one entry about CDROM:
Game.exe checks the access to \Device\CdRom0
Make the Access-Check on
\Device\CdRom0 succeed
15
Other Example Applications

Windows Clock/Calendar
– rundll32.exe fail to enable SystemTime privilege
(Adjust-Privilege)

Windows Power Options
– Access-Check failure on the registry key
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Controls Folder\PowerCfg

TurboTax
– TurboTax checks the admins’ group membership by
SID-Compare

Razzle (a build environment tool)
– Access-Check failure on the root directory of the 16
source code.
Summary

We validate the effectiveness of the tracing
technique by many real applications.
– Applications span a variety of user types.
– Applications exhibit a variety of reasons for the
LPIs.
– Our technique catches all causes of LPIs on
exercised code paths. As a dynamic tracing
technique, it cannot identify the LPIs not
exercised.

Fixing or mitigating LPIs becomes significantly
easier.
17
Future Directions

Usability enhancements
– Driver instead of modified kernel,
– Automatically set breakpoints at the security checks
responsible for least-privilege incompatibilities
(integrated in debuggers)
– Configuration utility for sysadmins.

Further research on permission failures
– Security failures involving networked applications
– Apply techniques to other OS platforms?
18
Download