PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls - - PowerPoint PPT Presentation

polper process aware restriction of over privileged
SMART_READER_LITE
LIVE PREVIEW

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls - - PowerPoint PPT Presentation

Mar 20, 2024 9 likes •255 views

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications Yuseok Jeon Junghwan Rhee Chung Hwan Kim Zhichun Li Mathias Payer Byoungyoung Lee Zhenyu Wu Outline Motivation Background PoLPer

slide-1
SLIDE 1

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications

Yuseok Jeon Junghwan Rhee Chung Hwan Kim Zhichun Li Mathias Payer Byoungyoung Lee Zhenyu Wu

slide-2
SLIDE 2

2

Outline

  • Motivation
  • Background
  • PoLPer
  • Evaluation
  • Conclusion
slide-3
SLIDE 3

3

Motivation

  • Setuid calls

– Manage privileges – Key function for the principle of least privilege (PoLP) – Active target of attack

setuid setuid

r = setuid(0)

App

Kernel

Privilege

Shell code, ROP attack, Non-control data attack

slide-4
SLIDE 4

4

Motivation

  • Previous solutions still have limitation

Approaches Limitations CFI Data modification attack detection DFI High overhead System call context check Over approximated rule (only handle call and data contexts) Setuid semantic Inconsistency check Control flow hijacking and data modification attack detection

CFI: control flow integrity DFI: data flow integrity

slide-5
SLIDE 5

5

Outline

  • Motivation
  • Background
  • PoLPer
  • Evaluation
  • Conclusion
slide-6
SLIDE 6

6

Principle of Least Privilege (PoLP)

  • Require minimal privileges

– Minimized attack surface – Limited malware propagation – Better stability

  • Login programs and daemon launchers

– Switch their IDs from root to the user ID – Setuid calls are used for this change of IDs

slide-7
SLIDE 7

7

Setuid Family System Calls

Use three user IDs as parameters

– Real user ID (real uid, or ruid) – Effective user ID (effective uid, or euid) – Saved user ID (saved uid, or suid)

User ID (4 types)

setuid() seteuid() setreuid() setresuid()

Group ID (4 types)

setgid() setegid() setregid() setresgid()

slide-8
SLIDE 8

8

Outline

  • Motivation
  • Background
  • PoLPer
  • Evaluation
  • Conclusion
slide-9
SLIDE 9

9

PoLPer

  • Focus on process contexts of a setuid call

– Extracts accurate context information – Enforces precise least privileges

  • We propose PoLPer

– Identifies important process contexts – Implements automated context extractor – Implements run-time enforcer

slide-10
SLIDE 10

10

PoLPer Overview

Process Contexts Process Contexts Static Analysis Static Analysis Dynamic Analysis Dynamic Analysis Setuid(0) Binary

App

Process hierarchy Call Stack setuid setuid Allowed Denied Logged Success Failure Context Enforcer Process Contexts Process Contexts

App Kernel

Setuid(0) Binary Process hierarchy Call Stack

App

Context Analyzer Context Enforcer

slide-11
SLIDE 11

11

Process Hierarchy Context

  • Leverage different units of execution to

decompose functionalities.

P1 P1 P1 P1 P1 P1 P1 P1 P1 Program P1 Depth 2 Depth 1 Depth 0 (Root)
slide-12
SLIDE 12

12

Process Hierarchy Context

s t a t i c c h a r * s u d
  • _
a s k p a s s ( ) {

s t a t i c c h a r b u f [ S U D O _ M A X ] ;

. . . i f ( ( p i d = f
  • r
k ( ) ) = =
  • 1
) … i f ( p i d = = ) { . . . I f ( s e t g i d ( u _ d e t a i l s . g i d ) ) { . . . } i fj ( s e t u i d ( u _ d e t a i l s . u i d ) ) { . . . } . . . e x e c l ( a s k p a s s , . . . ) ; . . . } . . . ( v
  • i
d ) s i g a c t i
  • n
( S I G P I P E , & s a , . . . ) ;

SUDO

p i d _ t s u b p r
  • c
e s s ( ) { F I L E * f ; . . . s w i t c h ( ( p i d = f
  • r
k ( ) ) ) { c a s e : . . . i f ( s e t r e s g i d ( p w
  • >
p w _ g i d , … ) ) { . . . } i f ( s e t r e s u i d ( p w
  • >
p w _ u i d , … ) ) { . . . } . . . e x e c v e ( a v [ ] , . . . ) ; _ e x i t ( 1 2 7 ) ; . . . d e f a u l t : b r e a k ; }

SSHD

  • Only child process can access setuid calls
slide-13
SLIDE 13

13

Process Data Context

  • Need to handle various parameter setting patterns
s e t u i d ( 1 ) ; s e t u i d ( K ) ; i n t K = 1 ; i f ( c
  • n
d ) K = 1 ; e l s e K = 2 ; s e t u i d ( K ) ; i n t K = 1 ;

Case (1) (2) (3) (4) Type Constant Variable Variable Variable Value 100 1000 100, 200 200

K = 2 ; B ( K ) ; i n t K = 1 ; A ( K ) ; s e t u i d ( K ) ; Functjon Main Function A(K) Function B(K)
  • Use backward data-flow analysis
  • Record together with the process hierarchy context
slide-14
SLIDE 14

14

Process Call Context

  • Identify code location to identify setuid call
  • Dynamic analysis for high accuracy call context
  • Record together with the process hierarchy context
slide-15
SLIDE 15

15

Run-time Enforcement

  • Use Kprobes, a kernel-based probing mechanism

– Hooks on the entry points of setuid calls – Extracts process hierarchy, data, and call contexts – Compares with the profile that was previously

extracted

Run-time Enforcer

Call Context Checker Call Context Checker Data Context Checker Data Context Checker 010100010100 100101011110 101011011010 0101011 Allowed Denied Binary

App Kernel

Process Hierarchy Context Process Hierarchy Context setuid setuid Compare Extraction
  • f Process
Context Extraction
  • f Process
Context Extract Hook
slide-16
SLIDE 16

16

Outline

  • Motivation
  • Background
  • PoLPer
  • Evaluation
  • Conclusion
slide-17
SLIDE 17

17

More Accurate Rule Generation

Programs Process hierarchy context disabled Process hierarchy context enabled Rule cut (%) Ping 1 1 Sudo 352 196 44 Xterm 576 296 49 Cron 2 2 Telnet 4 4 Telnet-Login 6 3 50 Login 4 2 50 SSH & SCP 182 88 52 WireShark 2 2 Apache 2 2 Nginx 2 2

slide-18
SLIDE 18

18

Micro-benchmark

1 4 16 64 128 192 256 512 1024 10 20 30 40 50 60 70 80 90 Data context count 1 Data context count 2 Data context count 5 Data context count 10

Call context number Verification time (µs)

slide-19
SLIDE 19

19

End-to-end Benchmarks

Programs Base (s) PoLPer (s) Setuid call (#) Overhead (%) Ping 9.0019 9.0039 1 0.02 Nginx 11.522 11.539 0.14 Apache 18.250 18.286 0.1 Telnet 1.001 1.004 6 0.29 SCP 0.1656 0.1665 28 0.54

  • Show near zero overhead
slide-20
SLIDE 20

20

Real-world Exploits

Exploit Pattern
  • Vul. Program
Exploit Name (EDB) Setuid Syscall Exploited Detected PoLPer CFI NCI Modify Setuid Parameters Sudo (N/A) setuid √ X √ Wu_ftpd (N/A) seteuid √ X √ Run setuid call to creat a root shell Overlayfs 37292-2015 setresuid, setresgid √ √ X 39230-2016 setresuid √ √ X Glibc 209-2000 setuid, setgid √ √ X Mkdir 20554-2001 setuid, setgid √ √ X KApplication 19981-2000 setuid, setregid √ √ X Suid_dumpable 2006-2006 setuid, setgid √ √ X Execve/ptrace 20720-2001 setuid √ √ X Splitvt 20013-2000 setuid √ √ X OpernMovieeditor 2338-2006 setuid,setgid √ √ X

CFI: control flow integrity NCI: non-control data integrity

slide-21
SLIDE 21

21

Case Study: Sudo

s t r u c t u s e r { u i d _ t u i d ; . . . } ; s t r u c t u s e r u d ; u d . u i d = g e t u i d ( ) ; / / i n s u d

  • _

d e b u g ( ) v f p r i n t f ( . . . ) ; / / i n s u d

  • _

a s k p a s s ( ) s e t u i d ( u d . u i d ) ;

Depth

1

  • Priv. Op.

setuid

Parameter

(Profile) uid = getuid() (exploit) 0

Call Stack # Offset File Function

21 0x32 + 0xb75f7b4 4 ../libc.so.6
  • 20
0x8053080 ../bin/sudo sudo_askpass ... 1 0x8049dd1 ../bin/sudo
  • Sudo code example
slide-22
SLIDE 22

22

Outline

  • Motivation
  • Background
  • PoLPer
  • Evaluation
  • Conclusion
slide-23
SLIDE 23

23

Conclusion

  • Extracts only the required contexts of setuid calls
  • Prevents setuid exploits with negligible overhead
  • Enforces PoLP using a combination of different

process contexts

slide-24
SLIDE 24

24

THANK YOU!

Q&A