240 likes | 327 Vues
Setuid Demystified. Hao Chen David Wagner UC Berkeley Drew Dean SRI International. The Setuid API. User ID model: the basis for access control in Unix Each process has three user IDs: ruid : the real user ID euid : the effective user ID suid : the saved user ID
E N D
Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International
The Setuid API • User ID model: the basis for access control in Unix • Each process has three user IDs: • ruid: the real user ID • euid: the effective user ID • suid: the saved user ID • The setuid API offers these system calls: • setuid, seteuid, setreuid, setresuid
The Mystery • Which user IDs does setuid(x) set? • FreeBSD: always ruid=euid=suid=x • Linux/Solaris: always euid=x, sometimes ruid=suid=x • Do these calls always succeed? • setuid ( geteuid ( ) ) • May fail in Linux and Solaris • seteuid ( geteuid ( ) ) • May fail in FreeBSD • setreuid ( geteuid ( ) , getuid ( ) ) • May fail in FreeBSD
The Problems • Semantic mess • Design: confusing, surprising • Portability: semantic differences among OSs (e.g. Linux, Solaris, FreeBSD) • Documentation: incomplete, inaccurate, or incorrect • Reason: historical artifacts • Vulnerabilities • Sendmail 8.10.1 and 8.12.0, etc.
Outline: Demystify the Setuid API • Identify the precise semantics • Use a formal model • Build the model automatically by state space exploration • Check for • Semantic pitfalls • Documentation errors • Inconsistency in OS kernels • Proper use of API calls in programs • Propose guidelines
Formal Model of the Setuid API • Finite State Automaton (FSA) model • States: describing the user IDs of a process • Transitions: describing the semantics of the setuid API calls Abstraction 0: root uid 1: a non-root uid ruid=1 euid=1 suid=1 setuid(1) ruid=1 euid=0 suid=0 seteuid(0) ruid=1 euid=1 suid=0 seteuid(1)
Construct the FSA • Challenge • Large number of transitions • Manual construction is laborious, error-prone • Solution • Automatic construction by a state space explorer: • Exhaustively makes all setuid API calls at each state of the FSA • Observes the resulting transitions
ruid=0 euid=0 suid=0 ruid=1 euid=1 suid=1 ruid=0 euid=0 suid=1 setuid(1) ruid=0 euid=1 suid=0 setuid(0) ruid=1 euid=1 suid=0 setuid(1) seteuid(1) setuid(0) seteuid(0) ruid=0 euid=1 suid=1 ruid=1 euid=0 suid=1 ruid=1 euid=0 suid=0
FSAs for setuid transitions Linux FreeBSD
Benefits of Using Formal Model • Correctness • Intuition: the transitions in the FSA are observed from running programs • Efficiency • The FSA is constructed automatically by the explorer • Portability: the explorer is portable to • Different Unix systems • Different versions of kernels • Lots of applications!
Find Documentation Errors • Incomplete man page • setuid(2) in Redhat Linux 7.2:fails to mention the Linux capabilities which affect how setuid() behaves • Wrong man pages • FreeBSD 4.4Unprivileged users may change the ruid to the euid and vice versa • Redhat Linux 7.2The setgid function checks the egid of the caller and if it is the superuser, … suid euid
Detect Inconsistencies in OS Kernel • File system uid (fsuid) in Linux • Is used for filesystem permission checking • Normally follows euid • An invariant in Linux 2.4.18 (kernel/sys.c) • fsuid is 0 only if at least one of ruid, euid, suid is 0 • Security motivation • Root privilege in fsuid is automatically dropped when it is dropped from ruid, euid, suid • Ensures that an fsuid-unware application can safely drop root privilege in fsuid
Detect Inconsistencies in OS Kernel (contd.) • A bug in Linux kernels <= 2.4.18 breaks the invariant • The bug is in setresuid() • We found the bug using the formal model • Our patch was applied to kernel 2.4.19 • Lessons • Security design is difficult to get right • Formal models are very useful in verifying security models
Check Proper Usage of the Setuid API in Programs • Questions • Can a setuid API call fail in this program? • Can this program fail to drop privilege? • Which part of this program run with privilege? • Approach • Model checking security properties in programs using the FSA of the setuid API • Results • Found known setuid bugs in sendmail 8.10.1 and 8.12.0
Guidelines • Use setresuid where available • Explicit, clear semantics • Transactional(vs. setuid which is not transactional) • Obey the proper order of API calls • Drop group privileges before user privileges
Guidelines (contd.) • Check for errors • Check return code • Verify user IDs are as expected after API calls (because some calls are not transactional) • Verify failuresHow to permanently drop privileges confidently? • Drop privilege • Try to regain privilege • Ensure that Step 2 fails
Related Work • Unix man pages • Chris Torek and Casper Dik. Setuid Mess • Matt Bishop. How to write a setuid program • Timothy Levin, S. Padilla, Cynthia Irvine.A Formal Model for UNIX Setuid
Conclusion: Setuid Demystified • We’ve identified the precise semantics • Use an FSA model • Built the model automatically by state space exploration • Formal models revealed pitfalls and bugs • We discovered semantic pitfalls • We found new documentation errors • We detected the fsuid bug in the Linux kernel • We verified the proper use of setuid API in some programs • Follow our guidelines for the setuid API
Further Information http://www.cs.berkeley.edu/~hchen/research/setuid/