1 setuid demystified hao chen david wagner uc berkeley drew dean sri international
TRANSCRIPT
![Page 1: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/1.jpg)
1
Setuid Demystified
Hao Chen David Wagner
UC Berkeley
Drew Dean
SRI International
![Page 2: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/2.jpg)
2
The Setuid API
• User ID model: the basis for access control in Unix
• Each process has three user IDs:– ruid: the real user ID– euid: the effective user ID– suid: the saved user ID
• The setuid API offers these system calls:– setuid, seteuid, setreuid, setresuid
![Page 3: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/3.jpg)
3
The Mystery
• Which user IDs does setuid(x) set? – FreeBSD: always ruid=euid=suid=x– Linux/Solaris:
always euid=x, sometimes ruid=suid=x
• Do these calls always succeed?– setuid ( geteuid ( ) )
• May fail in Linux and Solaris
– seteuid ( geteuid ( ) )• May fail in FreeBSD
– setreuid ( geteuid ( ) , getuid ( ) )• May fail in FreeBSD
![Page 4: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/4.jpg)
4
The Problems
• Semantic mess– Design: confusing, surprising– Portability: semantic differences among OSs
(e.g. Linux, Solaris, FreeBSD)– Documentation: incomplete, inaccurate, or
incorrect
• Reason: historical artifacts• Vulnerabilities
– Sendmail 8.10.1 and 8.12.0, etc.
![Page 5: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/5.jpg)
5
Outline: Demystify the Setuid API
• Identify the precise semantics– Use a formal model– Build the model automatically by state space
exploration
• Check for– Semantic pitfalls– Documentation errors– Inconsistency in OS kernels– Proper use of API calls in programs
• Propose guidelines
![Page 6: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/6.jpg)
6
Formal Model of the Setuid API
• Finite State Automaton (FSA) model– States: describing the user IDs of a process– Transitions: describing the semantics of the
setuid API calls
ruid=1euid=0suid=0
ruid=1euid=1suid=1
ruid=1euid=1suid=0
setuid(1)
seteuid(1)
seteuid(0)
Abstraction
0: root uid
1: a non-root uid
![Page 7: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/7.jpg)
7
Construct the FSA
• Challenge– Large number of transitions– Manual construction is laborious, error-prone
• Solution– Automatic construction by a state space
explorer:• Exhaustively makes all setuid API calls at each
state of the FSA
• Observes the resulting transitions
![Page 8: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/8.jpg)
8
ruid=1euid=1suid=0
ruid=0euid=0suid=0
ruid=1euid=0suid=0
ruid=0euid=1suid=0
ruid=1euid=0suid=1
ruid=1euid=1suid=1
ruid=0euid=1suid=1
ruid=0euid=0suid=1
setuid(1)seteuid(1)
seteuid(0)
setuid
(0)
setuid(0)
setuid(1)
![Page 9: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/9.jpg)
9
Linux
FreeBSD
FSAs for setuid transitions
![Page 10: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/10.jpg)
10
FSA for setresuid in Linux
![Page 11: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/11.jpg)
11
Benefits of Using Formal Model
• Correctness– Intuition: the transitions in the FSA are
observed from running programs
• Efficiency– The FSA is constructed automatically by the
explorer
• Portability: the explorer is portable to– Different Unix systems– Different versions of kernels
• Lots of applications!
![Page 12: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/12.jpg)
12
Find Documentation Errors
• Incomplete man page– setuid(2) in Redhat Linux 7.2:
fails to mention the Linux capabilities which affect how setuid() behaves
• Wrong man pages– FreeBSD 4.4Unprivileged users may change the ruid to the euid and vice versa
– Redhat Linux 7.2The setgid function checks the egid of the caller and if it is the superuser, …
suid
euid
![Page 13: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/13.jpg)
13
Detect Inconsistencies in OS Kernel
• File system uid (fsuid) in Linux– Is used for filesystem permission checking– Normally follows euid
• An invariant in Linux 2.4.18 (kernel/sys.c)– fsuid is 0 only if at least one of ruid, euid, suid is 0
• Security motivation– Root privilege in fsuid is automatically dropped
when it is dropped from ruid, euid, suid– Ensures that an fsuid-unware application can
safely drop root privilege in fsuid
![Page 14: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/14.jpg)
14
Detect Inconsistencies in OS Kernel (contd.)
• A bug in Linux kernels <= 2.4.18 breaks the invariant– The bug is in setresuid()
• We found the bug using the formal model– Our patch was applied to kernel 2.4.19
• Lessons– Security design is difficult to get right– Formal models are very useful in verifying
security models
![Page 15: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/15.jpg)
15
Check Proper Usage of the Setuid API in Programs
• Questions– Can a setuid API call fail in this program?– Can this program fail to drop privilege?– Which part of this program run with privilege?
• Approach– Model checking security properties in
programs using the FSA of the setuid API
• Results– Found known setuid bugs in sendmail 8.10.1
and 8.12.0
![Page 16: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/16.jpg)
16
Guidelines
• Use setresuid where available– Explicit, clear semantics– Transactional
(vs. setuid which is not transactional)
• Obey the proper order of API calls– Drop group privileges before user privileges
![Page 17: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/17.jpg)
17
Guidelines (contd.)
• Check for errors– Check return code– Verify user IDs are as expected after API calls
(because some calls are not transactional)
– Verify failuresHow to permanently drop privileges confidently?
1. Drop privilege
2. Try to regain privilege
3. Ensure that Step 2 fails
![Page 18: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/18.jpg)
18
Related Work
• Unix man pages• Chris Torek and Casper Dik. Setuid Mess• Matt Bishop. How to write a setuid
program• Timothy Levin, S. Padilla, Cynthia Irvine.
A Formal Model for UNIX Setuid
![Page 19: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/19.jpg)
19
Conclusion: Setuid Demystified
• We’ve identified the precise semantics– Use an FSA model– Built the model automatically by state space
exploration
• Formal models revealed pitfalls and bugs– We discovered semantic pitfalls– We found new documentation errors– We detected the fsuid bug in the Linux kernel– We verified the proper use of setuid API in
some programs
• Follow our guidelines for the setuid API
![Page 20: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/20.jpg)
20
Further Information
http://www.cs.berkeley.edu/~hchen/research/setuid/
![Page 21: 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International](https://reader036.vdocuments.site/reader036/viewer/2022062801/56649e445503460f94b37f21/html5/thumbnails/21.jpg)
21
FSA for setreuid in Linux