Add to collection(s) Add to saved
  1. No category

Slides

advertisement 
Setuid Demystified
Hao Chen
David Wagner
UC Berkeley
Drew Dean
SRI International
1
The Setuid API
• User ID model: the basis for access
control in Unix
• Each process has three user IDs:
– ruid: the real user ID
– euid: the effective user ID
– suid: the saved user ID
• The setuid API offers these system calls:
– setuid, seteuid, setreuid, setresuid
2
The Mystery
• Which user IDs does setuid(x) set?
– FreeBSD: always ruid=euid=suid=x
– Linux/Solaris:
always euid=x, sometimes ruid=suid=x
• Do these calls always succeed?
– setuid ( geteuid ( ) )
• May fail in Linux and Solaris
– seteuid ( geteuid ( ) )
• May fail in FreeBSD
– setreuid ( geteuid ( ) , getuid ( ) )
• May fail in FreeBSD
3
The Problems
•
Semantic mess
– Design: confusing, surprising
– Portability: semantic differences among OSs
(e.g. Linux, Solaris, FreeBSD)
– Documentation: incomplete, inaccurate, or
incorrect
•
•
Reason: historical artifacts
Vulnerabilities
– Sendmail 8.10.1 and 8.12.0, etc.
4
Outline: Demystify the Setuid API
• Identify the precise semantics
– Use a formal model
– Build the model automatically by state space
exploration
• Check for
–
–
–
–
Semantic pitfalls
Documentation errors
Inconsistency in OS kernels
Proper use of API calls in programs
• Propose guidelines
5
Formal Model of the Setuid API
• Finite State Automaton (FSA) model
– States: describing the user IDs of a process
– Transitions: describing the semantics of the
setuid API calls
Abstraction
0: root uid
1: a non-root uid
seteuid(0)
ruid=1
euid=0
suid=0
ruid=1
euid=1
suid=1
ruid=1
euid=1
suid=0
6
Construct the FSA
• Challenge
– Large number of transitions
– Manual construction is laborious, error-prone
• Solution
– Automatic construction by a state space
explorer:
• Exhaustively makes all setuid API calls at each
state of the FSA
• Observes the resulting transitions
7
ruid=1
euid=1
suid=1
ruid=0
euid=0
suid=0
ruid=0
euid=0
suid=1
setuid(1)
setuid(0)
ruid=1
euid=1
suid=0
seteuid(0)
ruid=1
euid=0
suid=1
ruid=1
euid=0
suid=0
ruid=0
euid=1
suid=0
ruid=0
euid=1
suid=1
8
FSAs for setuid transitions
Linux
FreeBSD
9
FSA for setresuid in Linux
10
Benefits of Using Formal Model
• Correctness
– Intuition: the transitions in the FSA are
observed from running programs
• Efficiency
– The FSA is constructed automatically by the
explorer
• Portability: the explorer is portable to
– Different Unix systems
– Different versions of kernels
• Lots of applications!
11
Find Documentation Errors
• Incomplete man page
– setuid(2) in Redhat Linux 7.2:
fails to mention the Linux capabilities which
affect how setuid() behaves
• Wrong man pages
suid
– FreeBSD 4.4
Unprivileged users may change the
ruid to the euid and vice versa
– Redhat Linux 7.2
euid
The setgid function checks the egid
of the caller and if it is the
superuser, …
12
Detect Inconsistencies in
OS Kernel
• File system uid (fsuid) in Linux
– Is used for filesystem permission checking
– Normally follows euid
• An invariant in Linux 2.4.18 (kernel/sys.c)
– fsuid is 0 only if at least one of
ruid, euid, suid is 0
• Security motivation
– Root privilege in fsuid is automatically dropped
when it is dropped from ruid, euid, suid
– Ensures that an fsuid-unware application can
13
safely drop root privilege in fsuid
Detect Inconsistencies in
OS Kernel (contd.)
• A bug in Linux kernels <= 2.4.18 breaks
the invariant
– The bug is in setresuid()
• We found the bug using the formal model
– Our patch was applied to kernel 2.4.19
• Lessons
– Security design is difficult to get right
– Formal models are very useful in verifying
security models
14
Check Proper Usage of the
Setuid API in Programs
• Questions
– Can a setuid API call fail in this program?
– Can this program fail to drop privilege?
– Which part of this program run with privilege?
• Approach
– Model checking security properties in
programs using the FSA of the setuid API
• Results
– Found known setuid bugs in sendmail 8.10.1
and 8.12.0
15
Guidelines
• Use setresuid where available
– Explicit, clear semantics
– Transactional
(vs. setuid which is not transactional)
• Obey the proper order of API calls
– Drop group privileges before user privileges
16
Guidelines (contd.)
•
Check for errors
– Check return code
– Verify user IDs are as expected after API calls
(because some calls are not transactional)
– Verify failures
How to permanently drop privileges confidently?
1. Drop privilege
2. Try to regain privilege
3. Ensure that Step 2 fails
17
Related Work
• Unix man pages
• Chris Torek and Casper Dik. Setuid Mess
• Matt Bishop. How to write a setuid
program
• Timothy Levin, S. Padilla, Cynthia Irvine.
A Formal Model for UNIX Setuid
18
Conclusion: Setuid Demystified
• We’ve identified the precise semantics
– Use an FSA model
– Built the model automatically by state space
exploration
• Formal models revealed pitfalls and bugs
–
–
–
–
We discovered semantic pitfalls
We found new documentation errors
We detected the fsuid bug in the Linux kernel
We verified the proper use of setuid API in
some programs
• Follow our guidelines for the setuid API
19
Further Information
http://www.cs.berkeley.edu/~hchen/research/setuid/
20
FSA for setreuid in Linux
21
Related documents
Setuid demystified.
Setuid demystified.
How to map to the Q drive (Student Project Folder) using Windows
How to map to the Q drive (Student Project Folder) using Windows
Description (document)
Description (document)
word document - Electrical and Computer Engineering
word document - Electrical and Computer Engineering
Ch 5 Quick Quiz
Ch 5 Quick Quiz
Setuid Demystified ∗ { }
Setuid Demystified ∗ { }
Download
advertisement