1 / 30

Security Improvements in Linux Using Capabilities

Security Improvements in Linux Using Capabilities. Gautam Barua Department Of Computer Science & Engg Indian Institute of Technology, Guwahati. Outline. Discretionary Access Control Set user on execution Mandatory Access Control Linux Security Modules SeLinux Buffer Overflow Attack

miya
Download Presentation

Security Improvements in Linux Using Capabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Improvements in Linux Using Capabilities Gautam Barua Department Of Computer Science & Engg Indian Institute of Technology, Guwahati

  2. Outline Discretionary Access Control Set user on execution Mandatory Access Control Linux Security Modules SeLinux Buffer Overflow Attack Posix Capabilities Work at IITG

  3. Discretionary Access Control • Owner-administered • Mode bits: User, Group, Others • Basic Permissions: Read, Write, Execute rwxr_ _ r_ _ owner_id group_id ……. • Access Control Lists added in later versions of Unix (and Linux). • Can specify particulars users or groups who are given permissions or denied permissions. IIT Guwahati

  4. Discretionary Access Control • Setting controls is at the discretion of users. • An “owner” is identified with every file • Mode bits can be changed by the owner. • Distributed control • Easy to manage • User controls her data • Attacks can be catastrophic IIT Guwahati

  5. Set uid on execution • ls – l /var/bin/ps r_sr_xr_x root root ……………….. ps • When user gb executes “ps”, the process executing “ps” gets an effective user id of “root”. • So privileges of “root” are available to the program “ps” even though it is gb executing it. IIT Guwahati

  6. Set uid on execution • But only what “ps” can do as root is allowed to gb. • This method of controlled escalation of privileges provides flexibility in managing resources. BUT • Mistakes may be made by administrators • If write permission is given inadvertently to the file containing “ps” …. IIT Guwahati

  7. Set uid on Execution • More seriously, there may be a bug in “ps” • This may be exploited by an intruder, and the process running “ps” may be made to execute some malicious code. • This malicious code will get root privileges and can therefore wreck havoc. • We should give only the necessary privileges to programs like “ps”, not full root privileges. IIT Guwahati

  8. Mandatory Access Control • Controls imposed by a central administrator • Enforced by the OS kernel • User programmes cannot over-ride the controls • Complex to implement • Restrictive to users • Less vulnerable to attacks IIT Guwahati

  9. Mandatory Access Control • Linux Security Module (LSM) • General kernel framework for implementing security modules • Around 200 hooks • About 150 are for mediation • Others for allocation/freeing, labelling, ad hoc management IIT Guwahati

  10. Linux Security Module • Add a “security” field to major data structures: • task_struct, inode, sk_buff, net_device, … • Type: void *security; • Add hooks in kernel critical points • To manage the “security” field • To perform access control as per defined policies • Register/unregister • Using register_security()/unregister_security() • LSM recognizes only the primary module • mod_reg_security enables a second module to stack IIT Guwahati

  11. Security Enhanced Linux (SeLinux) • Mandatory Access Control Implementation • Uses LSM • Fine Grained Control Possible • Complex to set up • Flexibility is therefore low • Critics say chances of misconfiguration high and so vulnerability increases IIT Guwahati

  12. Security Enhanced Linux (SeLinux) • Subject (e.g. process) Object (e.g. file) • Action (e.g. file read) Subject has a • Security Context : • User Identifier (few) • Role (few) • Types (hundreds) IIT Guwahati

  13. Buffer Overflow Attack • void func (char *str) { • char buffer[16]; • strcpy(buffer,str); • } • void main() { • char large_string[256]; • int i; • for( i = 0; i < 255; i++) • large_string[i] = 'A'; • func (large_string); • } IIT Guwahati

  14. Buffer Overflow Attack Run Time Stack when “func” is called Buffer [0..15] *str Return address Attack Code IIT Guwahati

  15. Buffer Overflow Attack #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } IIT Guwahati

  16. POSIX Capabilities • Fine grain control of who can do what • Traditional: all-or-nothing: root can do everything, normal user can do nothing • Capabilities: define a set of distinct privileges in the system (if a task has a capability, it is permitted to do a certain task) • POSIX 1.e defines a list of capabilities • Linux 2.6.24 implements 8 from POSIX, and adds 24 Linux-specific (total 32) • Not Capabilities as per classical definition IIT Guwahati

  17. Capabilities • CAP_CHOWN: allow changing file ownership • CAP_SETUID: allow manipulations of UIDs • CAP_NET_BIND_SERVICE: allow binding to TCP/UDP port below 1024 • CAP_DAC_OVERRIDE: bypass rwx permission checks • CAP_SYS_NICE: allow changing nice level • CAP_FOWNER: bypass need for uids to match (e.g. chmod) • CAP_SYS_PTRACE: allow ptrace() of any process • CAP_SYS_CHROOT: allow use of chroot() IIT Guwahati

  18. Capabilities • CAP_MKNOD: allow creation of special files • CAP_SYS_MODULE: allow loading and unloading of kernel modules • CAP_DAC_READ_SEARCH: bypass directory read and execute permission checks • CAP_FSETID: don’t clear suid and sgid flags on files when modified. • CAP_KILL: bypass permission checks for sending signals • CAP_NET_RAW: allow the use of raw sockets IIT Guwahati

  19. Capabilities Implementation • 32-bit integer • Bitmap: 1 bit per capability: 1 means having the corresponding capability , 0 means no • Maximum 32 capabilities support in Linux 2.6.24 (will increase to 64 bit in coming versions) • Operations: • cap_raise(c, flag): Include the capability in c • cap_lower(c, flag): Remove the capability from c • cap_raised(c, flag): c having the capability? IIT Guwahati

  20. Capability Set in Processes • Each process has 3 sets of capabilities • Permitted set: capabilities the task can use • Effective set: capabilities that the task currently chooses to use (so as to lower privileges temporarily) • Inheritable set: capabilities that are preserved across an “execve” • A child that is forked gets a copy of each of the three sets IIT Guwahati

  21. Use Capabilities • Kernel can check the capability before doing privileged actions: ... if (!capable(CAP_XXX)) return -EPERM; ... • capable(cap): does this process have the capability? int capable(int cap) { if (cap_raised(current->cap_effective, cap)) return 1; return 0; } IIT Guwahati

  22. Capability Example • Controlling system call nice() • In kernel/sched.c: asmlinkage long sys_nice(int increment) { if (increment < 0) { if (!capable(CAP_SYS_NICE)) return -EPERM; … IIT Guwahati

  23. Giving Capabilities • Capabilities are copied from the parent process • But there is a need to provide program specific capabilities, and inheriting from the parent will not give the required functionality. • So associate capabilities with executable programs. • Store capabilities in files containing executable programs. IIT Guwahati

  24. File Capabilities • Executable files can have capabilities too • Also have 3 sets: permitted, effective, inheritable • Stored as file attributes in file systems • Changes the process's capabilities after execve() • Capability rules • Inheritable set does not change after execve() • New permitted set = file permitted set OR (file inheritable set AND process permitted set) • New effective set = file effective set AND new permitted set IIT Guwahati

  25. File Capability Implementation • Executable file data structure: struct linux_binprm • Defined in include/linux/binfmts.h • Fields related to capabilities: kernel_cap_t cap_inheritable, cap_permitted, cap_effective; • When an executable file is loaded: • Fill in linux_binprm from file system and call compute_creds() • Example: load ELF file: function load_elf_binary() calls compute_creds() IIT Guwahati

  26. File Capability Implementation (Cont.) • File system support has been recently added in the Linux kernel starting from Linux 2.6.24-rc2. • Uses “extended attributes” feature of ext2 file system to store file capabilities. IIT Guwahati

  27. Ongoing Research at IITG • No process should run with euid = 0 • Its difficult to figure out required capabilities for a given executable • How to convert a running system into one with capabilities • Is the available set of capabilities sufficient for an executable? IIT Guwahati

  28. (Cont.) • Our goal • To ease the process of setting caps • tool which sets the required caps by diagnosing the given executable • Monitor a server (with caps enabled): • Has the tool set the least required caps or not • Gather more information to see if there are any areas left uncovered by the Capability System which should get attention. IIT Guwahati

  29. (cont.) • Diagnostic tool • Checks which system calls are called by the executable • In cases where the capabilities check straightaway access to the system call like CAP_CHOWN, CAP_SYS_PTRACE etc., decision is obvious. • For cases like CAP_NET_RAW, CAP_NET_BIND_SERVICE etc. dynamic heuristics are required as decision depends on arguments passed IIT Guwahati

  30. Questions??? IIT Guwahati

More Related