A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005, San Diego, California Feb. 4, 2005 1 The Problem Principle of Least Privilege – Software should run only with the privileges necessary to accomplish the task. Reality of Windows systems – Most users run all the time as members of the Administrators group (a.k.a. Admins, root in UNIX). – Security threats increased: compromise of user application a system compromise E.g., buffer overflow in Instant Messenger – Many Windows applications require admin privileges when they shouldn’t (least privilege incompatibility, or LPI). 2 Least Privilege Incompatible Apps Bob the Builder (a kid’s game) Window Clock/Calendar 3 Least Privilege Incompatible Apps RAS, a Virtual Private Network (VPN) software RAZZLE (the build environment for many Microsoft products) 4 Least Privilege Incompatible Apps TurboTax Microsoft Greetings Diablo II. Unable to detect the Play Disc? A Microsoft Knowledge Base article reports 188 least-privilege incompatible applications 5 Project Goal Develop a tracer… – To identify the causes of LPIs … – So that they can be more easily fixed by developers or sysadmins – Provide enough clues that make a hard problem easy. Address developer’s challenges – Impractical to get deep insights to the entire code base of a commercial software. Should pinpoint failing code. – Libraries encapsulate system calls invoking security checks. Most libraries are in binary form. Should identify low level security failures, not opaque library failures. – Applications can have many LPIs. Should minimize number of test runs to fix all of them. Also helps sysadmins! In many cases, can mitigate LPIs through harmless system policy changes. – E.g., change the Access Control List (ACL) of files and registry keys. 6 Windows Security Subsystem Data structure: token (security context) Complete Set of Checking Functions in Security Subsystem – SID-Compare: Can be used to check “Am I an admin?” – Access-Check/Reference-Object: Do I have the permissions to open an object handle / perform operations on an opened handle? – Adjust-Privilege/Privilege-Check: Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the system)? Why not just monitor at syscall level? – System call interface is enormous – Syscalls can be stateful; Security subsystem is stateless (crucial ingredient in noise filtering). 7 Overview of the Tracing Technique Start tracing Run app with Admin privileges stop tracing Start validation Run app without Admin privileges stop validation Security Check Intercept every security check call, Monitor and make a subset Security Check Monitor Deliberately of the whether determine it succeeds, but would Noise Filter and invoked Noise Filter logged security checks succeed fail if awhen non-admin it. (tracing mode)would fail. (validation mode) they normally • Use statelessness Security check event logger Log of possible causes of least-privilege incompatibilities 8 Evaluations with Real Examples Goal of evaluation is to demonstrate that… Tracer makes LPIs easy to understand Fixing the LPIs becomes substantially easier Most LPIs are simply bugs Bottom line: LPI problem is solvable 9 Case 1: Bob The Builder Third party application. “Unable to perform the operation because of insufficient privilege.” Which operation? Why require admin privileges? Tracing – 4002 security checks were performed to check against the user token; 884 checks failed; 899 checks would fail if they were performed by non-admin users. – The log contains only 899 – 884 = 15 entries, among which only 5 entries are distinct. 10 Type of Check Process Image Object Name Desired Access Granted Access Max access for regular users ReferenceObject Automenu \REGISTRY\HKEY_LOCAL_MACHINE\ SOFTWARE\BBC Multimedia\Bob the Builder\1.0.0 0x00002 0xf003f 0x020019 AccessCheck explorer \Program Files\THQ\Bob the Builder\StartBTB.exe 0x120189 0x120189 0x1200a9 AccessCheck explorer \WINDOWS\explorer.exe 0x120189 0x120189 0x1200a9 AccessCheck explorer \WINDOWS\system32\mydocs.dll 0x120189 0x120189 0x1200a9 AccessCheck explorer \WINDOWS\system32\shell32.dll 0x120189 0x120189 0x1200a9 Run as non-admin 11 Case 2: RAS (Remote Access Service) RAS sets up a Virtual Private Network (VPN) to connect to corporate network. Least-privilege incompatibility encountered. The tracer logged 7 entries out of 2566 security checks on the user token. The cause (one of the 7 logged entries) hides deep in the call stack. Not intuitive. The RAS process Get_EnumEveryConnection in HNETCFG.dll (Home Networking Configuration Manager) Developer’s response: • RAS needs to migrate existing connections to the VPN • The only API for enumerating network connections is Get_EnumEveryConnection, privileged . •Solution: RAS should only migrate the current user’s connections. CheckTokenMembership in ADVAPI32.dll Access-Check in kernel 12 Case 3: Microsoft Greetings 12618 checks performed for user permissions. 37 entries in the log. Encountered 5 LPIs along the code path. – 1 due to SID-Compare – 1 due to \Program Files\Microsoft Picture It! PhotoPub\pidocob.dll – 3 due to \REGISTRY\HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Picture It!\* Strength of the tracing technique: logging all causes requires only one test run. 13 Increasingly Obscure Error Messages Remove the first LPI Remove the second LPI Remove the other 3 LPIs 14 Case 4: Diablo II 1573 checks on the user token. 3 entries in the log. Misleading error message (as if there was no disc in the CD drive) Only one entry about CDROM: Game.exe checks the access to \Device\CdRom0 Make the Access-Check on \Device\CdRom0 succeed 15 Other Example Applications Windows Clock/Calendar – rundll32.exe fail to enable SystemTime privilege (Adjust-Privilege) Windows Power Options – Access-Check failure on the registry key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Controls Folder\PowerCfg TurboTax – TurboTax checks the admins’ group membership by SID-Compare Razzle (a build environment tool) – Access-Check failure on the root directory of the 16 source code. Summary We validate the effectiveness of the tracing technique by many real applications. – Applications span a variety of user types. – Applications exhibit a variety of reasons for the LPIs. – Our technique catches all causes of LPIs on exercised code paths. As a dynamic tracing technique, it cannot identify the LPIs not exercised. Fixing or mitigating LPIs becomes significantly easier. 17 Future Directions Usability enhancements – Driver instead of modified kernel, – Automatically set breakpoints at the security checks responsible for least-privilege incompatibilities (integrated in debuggers) – Configuration utility for sysadmins. Further research on permission failures – Security failures involving networked applications – Apply techniques to other OS platforms? 18