1 a black-box tracing technique to identify causes of least-privilege incompatibilities shuo chen,...
TRANSCRIPT
11
A Black-Box Tracing Technique to A Black-Box Tracing Technique to Identify Identify Causes of Least-Privilege Causes of Least-Privilege IncompatibilitiesIncompatibilities
Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min WangWang
NDSS 2005, San Diego, CaliforniaNDSS 2005, San Diego, CaliforniaFeb. 4, 2005Feb. 4, 2005
22
The ProblemThe Problem
Principle of Least PrivilegePrinciple of Least Privilege– Software should run only with the privileges Software should run only with the privileges
necessary to accomplish the task.necessary to accomplish the task.
Reality of Windows systemsReality of Windows systems– Most users run all the time as members of the Most users run all the time as members of the
Administrators group (a.k.a. Administrators group (a.k.a. Admins,Admins, root in root in UNIX).UNIX).
– Security threats increased: compromise of user Security threats increased: compromise of user application application a system compromise a system compromise
E.g., buffer overflow in Instant Messenger E.g., buffer overflow in Instant Messenger
– Many Windows applications require admin Many Windows applications require admin privileges when they shouldn’t (least privilege privileges when they shouldn’t (least privilege incompatibility, or LPI). incompatibility, or LPI).
33
Least Privilege Incompatible Least Privilege Incompatible AppsApps
Bob the BuilderBob the Builder (a kid’s game) (a kid’s game)
Window Clock/CalendarWindow Clock/Calendar
44
Least Privilege Incompatible Least Privilege Incompatible AppsApps
RASRAS, a Virtual Private , a Virtual Private Network (VPN) softwareNetwork (VPN) software
RAZZLERAZZLE (the build environment for many Microsoft products) (the build environment for many Microsoft products)
55
TurboTaxTurboTax Microsoft GreetingsMicrosoft Greetings
Diablo IIDiablo II. Unable to . Unable to detect the Play Disc?detect the Play Disc?
A Microsoft Knowledge Base article reports A Microsoft Knowledge Base article reports 188188 least- least-privilege incompatible applicationsprivilege incompatible applications
Least Privilege Incompatible Least Privilege Incompatible AppsApps
66
Project GoalProject Goal
Develop a tracer…Develop a tracer…– To identify the causes of LPIs …To identify the causes of LPIs …– So that they can be more easily fixed by So that they can be more easily fixed by developersdevelopers or or
sysadminssysadmins– Provide enough clues that make a hard problem easy.Provide enough clues that make a hard problem easy.
Address Address developer’sdeveloper’s challenges challenges– Impractical to get deep insights to the entire code base of a Impractical to get deep insights to the entire code base of a
commercial software. Should pinpoint failing code.commercial software. Should pinpoint failing code.– Libraries encapsulate system calls invoking security checks. Most Libraries encapsulate system calls invoking security checks. Most
libraries are in binary form. Should identify low level security libraries are in binary form. Should identify low level security failures, not opaque library failures.failures, not opaque library failures.
– Applications can have many LPIs. Should minimize number of Applications can have many LPIs. Should minimize number of test runs to fix all of them.test runs to fix all of them.
Also helps Also helps sysadminssysadmins! In many cases, can mitigate LPIs ! In many cases, can mitigate LPIs through harmless system policy changes.through harmless system policy changes.– E.g., change the Access Control List (ACL) of files and registry E.g., change the Access Control List (ACL) of files and registry
keys.keys.
77
Windows Security SubsystemWindows Security Subsystem
Data structure: Data structure: tokentoken (security context) (security context) Complete Set of Checking Functions in Security SubsystemComplete Set of Checking Functions in Security Subsystem
– SID-Compare:SID-Compare: Can be used to check “Am I an admin?” Can be used to check “Am I an admin?”– Access-Check/Reference-Object:Access-Check/Reference-Object: Do I have the permissions to open an object handle / perform operations on an opened handle? Do I have the permissions to open an object handle / perform operations on an opened handle?– Adjust-Privilege/Privilege-Check:Adjust-Privilege/Privilege-Check: Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the
system)?system)?
Why not just monitor at syscall level?Why not just monitor at syscall level?– System call interface is enormousSystem call interface is enormous
– Syscalls can be stateful; Security subsystem is Syscalls can be stateful; Security subsystem is statelessstateless (crucial ingredient in noise filtering). (crucial ingredient in noise filtering).
88
Overview of the Tracing Overview of the Tracing TechniqueTechnique
Run app with Admin privileges
Starttracing
stoptracing
Log of possible causes of least-privilege incompatibilities
Run app without Admin privileges
Startvalidation
stopvalidation
Security Check Monitor and Noise Filter(tracing mode)
Security check event logger
Intercept every security check call, determine whether it succeeds, but would fail if a non-admin invoked it.
• Use statelessness
Security Check Monitor and Noise Filter(validation mode)
Deliberately make a subset of the logged security checks succeed when they normally would fail.
99
Evaluations with Real Evaluations with Real ExamplesExamples
Goal of evaluation is to demonstrate that…Goal of evaluation is to demonstrate that… Tracer makes LPIs easy to understandTracer makes LPIs easy to understand Fixing the LPIs becomes substantially easierFixing the LPIs becomes substantially easier Most LPIs are simply bugsMost LPIs are simply bugs Bottom line:Bottom line: LPI problem is solvable LPI problem is solvable
1010
Case 1: Bob The BuilderCase 1: Bob The Builder Third party application. “Unable to perform the operation because of insufficient Third party application. “Unable to perform the operation because of insufficient
privilege.” Which operation? Why require admin privileges?privilege.” Which operation? Why require admin privileges? TracingTracing
– 40024002 security checks were performed to check against the user token; security checks were performed to check against the user token; 884884 checks failed; checks failed; 899899 checks would fail if they were performed by non-admin users.checks would fail if they were performed by non-admin users.
– The log contains only 899 – 884 = The log contains only 899 – 884 = 1515 entries, among which only 5 entries are distinct. entries, among which only 5 entries are distinct.
1111
Type of Type of CheckCheck
Process Process ImageImage
Object NameObject Name Desired Desired AccessAccess
Granted Granted AccessAccess
Max Max access for access for regular regular usersusers
ReferenceReference-Object-Object
AutomenAutomenu u
\REGISTRY\\REGISTRY\HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\BBC Multimedia\Bob SOFTWARE\BBC Multimedia\Bob the Builder\1.0.0 the Builder\1.0.0
0x00002 0x00002 0xf003f 0xf003f 0x020019 0x020019
Access-Access-Check Check
explorerexplorer \Program Files\THQ\Bob the \Program Files\THQ\Bob the Builder\StartBTB.exe Builder\StartBTB.exe
0x120180x120189 9
0x120180x120189 9
0x1200a9 0x1200a9
Access-Access-Check Check
explorerexplorer \WINDOWS\explorer.exe \WINDOWS\explorer.exe 0x120180x120189 9
0x120180x120189 9
0x1200a9 0x1200a9
Access-Access-Check Check
explorerexplorer \WINDOWS\system32\mydocs.dll \WINDOWS\system32\mydocs.dll 0x120180x120189 9
0x120180x120189 9
0x1200a9 0x1200a9
Access-Access-Check Check
explorerexplorer \WINDOWS\system32\shell32.dll\WINDOWS\system32\shell32.dll 0x120180x120189 9
0x120180x120189 9
0x1200a9 0x1200a9
Run as non-admin
1212
Case 2: RAS (Remote Access Case 2: RAS (Remote Access Service)Service)
RAS sets up a Virtual Private Network (VPN) to connect to corporate network.RAS sets up a Virtual Private Network (VPN) to connect to corporate network. Least-privilege incompatibility encountered.Least-privilege incompatibility encountered. The tracer logged 7 entries out of 2566 security checks on the user token.The tracer logged 7 entries out of 2566 security checks on the user token. The cause (one of the 7 logged entries) hides deep in the call stack. Not The cause (one of the 7 logged entries) hides deep in the call stack. Not
intuitive.intuitive.
The RAS process
Get_EnumEveryConnection in HNETCFG.dll(Home Networking Configuration Manager)
CheckTokenMembership in ADVAPI32.dll
Access-Check in kernel
Developer’s response:• RAS needs to migrate existing connections to the VPN• The only API for enumerating network connections is Get_EnumEveryConnection,
privileged .•Solution: RAS should only migrate the current user’s connections.
1313
Case 3: Microsoft GreetingsCase 3: Microsoft Greetings
12618 checks performed for user 12618 checks performed for user permissions. 37 entries in the log.permissions. 37 entries in the log.
Encountered 5 LPIs along the code path.Encountered 5 LPIs along the code path.– 1 due to SID-Compare1 due to SID-Compare– 1 due to 1 due to \Program Files\Microsoft \Program Files\Microsoft Picture It! PhotoPub\pidocob.dllPicture It! PhotoPub\pidocob.dll
– 3 due to 3 due to \REGISTRY\HKEY_LOCAL_MACHINE\\REGISTRY\HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\Microsoft\Picture It!\*Microsoft\Picture It!\*
Strength of the tracing technique: logging Strength of the tracing technique: logging all causes requires only one test run.all causes requires only one test run.
1414
Increasingly Obscure Error Increasingly Obscure Error MessagesMessages
Remove the first LPI
Remove the second LPI
Remove the other 3 LPIs
1515
Case 4: Diablo IICase 4: Diablo II
1573 checks on the user token. 3 entries in the log.1573 checks on the user token. 3 entries in the log. Misleading error message (as if there was no disc in the CD drive)Misleading error message (as if there was no disc in the CD drive) Only one entry about CDROM:Only one entry about CDROM:
Game.exe checks the access to \Device\CdRom0Game.exe checks the access to \Device\CdRom0
Make the Access-Check on \Device\CdRom0 succeed
1616
Other Example ApplicationsOther Example Applications Windows Clock/CalendarWindows Clock/Calendar
– rundll32.exe fail to enable SystemTime privilege rundll32.exe fail to enable SystemTime privilege ((Adjust-PrivilegeAdjust-Privilege) )
Windows Power OptionsWindows Power Options– Access-CheckAccess-Check failure on the registry key failure on the registry key \\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfgCurrentVersion\Controls Folder\PowerCfg
TurboTaxTurboTax– TurboTax checks the admins’ group membership TurboTax checks the admins’ group membership
by by SID-CompareSID-Compare
Razzle (a build environment tool)Razzle (a build environment tool)– Access-CheckAccess-Check failure on the root directory of the failure on the root directory of the
source code.source code.
1717
SummarySummary We validate the effectiveness of the We validate the effectiveness of the
tracing technique by many real tracing technique by many real applications. applications. – Applications span a variety of user types. Applications span a variety of user types. – Applications exhibit a variety of reasons for Applications exhibit a variety of reasons for
the LPIsthe LPIs..
– Our technique catches all causes of LPIs on Our technique catches all causes of LPIs on exercised code paths. As a dynamic tracing exercised code paths. As a dynamic tracing technique, it cannot identify the LPIs not technique, it cannot identify the LPIs not exercised. exercised.
Fixing or mitigating LPIs becomes Fixing or mitigating LPIs becomes significantly easier.significantly easier.
1818
Future DirectionsFuture Directions
Usability enhancements Usability enhancements – Driver instead of modified kernel, Driver instead of modified kernel, – Automatically set breakpoints at the security Automatically set breakpoints at the security
checks responsible for least-privilege checks responsible for least-privilege incompatibilities (integrated in debuggers)incompatibilities (integrated in debuggers)
– Configuration utility for sysadmins.Configuration utility for sysadmins.
Further research on permission Further research on permission failures failures – Security failures involving networked Security failures involving networked
applications applications – Apply techniques to other OS platforms?Apply techniques to other OS platforms?