• 180 likes • 313 Views
A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities. Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005, San Diego, California Feb. 4, 2005. The Problem. Principle of Least Privilege
E N D
A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005, San Diego, California Feb. 4, 2005
The Problem • Principle of Least Privilege • Software should run only with the privileges necessary to accomplish the task. • Reality of Windows systems • Most users run all the time as members of the Administrators group (a.k.a. Admins, root in UNIX). • Security threats increased: compromise of user application a system compromise • E.g., buffer overflow in Instant Messenger • Many Windows applications require admin privileges when they shouldn’t (least privilege incompatibility, or LPI).
Least Privilege Incompatible Apps • Bob the Builder (a kid’s game) • Window Clock/Calendar
Least Privilege Incompatible Apps • RAS, a Virtual Private Network (VPN) software • RAZZLE (the build environment for many Microsoft products)
Least Privilege Incompatible Apps • Microsoft Greetings • TurboTax • Diablo II. Unable to detect the Play Disc? • A Microsoft Knowledge Base article reports 188 least-privilege incompatible applications
Project Goal • Develop a tracer… • To identify the causes of LPIs … • So that they can be more easily fixed by developers or sysadmins • Provide enough clues that make a hard problem easy. • Address developer’s challenges • Impractical to get deep insights to the entire code base of a commercial software. Should pinpoint failing code. • Libraries encapsulate system calls invoking security checks. Most libraries are in binary form. Should identify low level security failures, not opaque library failures. • Applications can have many LPIs. Should minimize number of test runs to fix all of them. • Also helps sysadmins! In many cases, can mitigate LPIs through harmless system policy changes. • E.g., change the Access Control List (ACL) of files and registry keys.
Data structure: token (security context) Complete Set of Checking Functions in Security Subsystem SID-Compare: Can be used to check “Am I an admin?” Access-Check/Reference-Object: Do I have the permissions to open an object handle / perform operations on an opened handle? Adjust-Privilege/Privilege-Check: Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the system)? Why not just monitor at syscall level? System call interface is enormous Syscalls can be stateful; Security subsystem is stateless (crucial ingredient in noise filtering). Windows Security Subsystem
Security Check Monitor and Noise Filter(tracing mode) • Intercept every security check call, determine whether it succeeds, but would fail if a non-admin invoked it. • Use statelessness Security Check Monitor and Noise Filter(validation mode) Deliberately make a subset of the logged security checks succeed when they normally would fail. Security check event logger Overview of the Tracing Technique Run app without Admin privileges Run app with Admin privileges Starttracing Startvalidation stoptracing stopvalidation Log of possible causes of least-privilege incompatibilities
Goal of evaluation is to demonstrate that… • Tracer makes LPIs easy to understand • Fixing the LPIs becomes substantially easier • Most LPIs are simply bugs • Bottom line: LPI problem is solvable Evaluations with Real Examples
Case 1: Bob The Builder • Third party application. “Unable to perform the operation because of insufficient privilege.” Which operation? Why require admin privileges? • Tracing • 4002 security checks were performed to check against the user token; 884 checks failed; 899 checks would fail if they were performed by non-admin users. • The log contains only 899 – 884 = 15 entries, among which only 5 entries are distinct.
Developer’s response: • RAS needs to migrate existing connections to the VPN • The only API for enumerating network connections is Get_EnumEveryConnection, privileged. • Solution: RAS should only migrate the current user’s connections. Case 2: RAS (Remote Access Service) • RAS sets up a Virtual Private Network (VPN) to connect to corporate network. • Least-privilege incompatibility encountered. • The tracer logged 7 entries out of 2566 security checks on the user token. • The cause (one of the 7 logged entries) hides deep in the call stack. Not intuitive. The RAS process Get_EnumEveryConnection in HNETCFG.dll (Home Networking Configuration Manager) CheckTokenMembership in ADVAPI32.dll Access-Check in kernel
Case 3: Microsoft Greetings • 12618 checks performed for user permissions. 37 entries in the log. • Encountered 5 LPIs along the code path. • 1 due to SID-Compare • 1 due to \Program Files\Microsoft Picture It! PhotoPub\pidocob.dll • 3 due to \REGISTRY\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Picture It!\* • Strength of the tracing technique: logging all causes requires only one test run.
Remove the first LPI Remove the second LPI Remove the other 3 LPIs Increasingly Obscure Error Messages
Make the Access-Check on \Device\CdRom0 succeed Case 4: Diablo II • 1573 checks on the user token. 3 entries in the log. • Misleading error message (as if there was no disc in the CD drive) • Only one entry about CDROM:Game.exe checks the access to \Device\CdRom0
Other Example Applications • Windows Clock/Calendar • rundll32.exe fail to enable SystemTime privilege (Adjust-Privilege) • Windows Power Options • Access-Check failure on the registry key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg • TurboTax • TurboTax checks the admins’ group membership by SID-Compare • Razzle (a build environment tool) • Access-Check failure on the root directory of the source code.
Summary • We validate the effectiveness of the tracing technique by many real applications. • Applications span a variety of user types. • Applications exhibit a variety of reasons for the LPIs. • Our technique catches all causes of LPIs on exercised code paths. As a dynamic tracing technique, it cannot identify the LPIs not exercised. • Fixing or mitigating LPIs becomes significantly easier.
Future Directions • Usability enhancements • Driver instead of modified kernel, • Automatically set breakpoints at the security checks responsible for least-privilege incompatibilities (integrated in debuggers) • Configuration utility for sysadmins. • Further research on permission failures • Security failures involving networked applications • Apply techniques to other OS platforms?