Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005,

Similar presentations


Presentation on theme: "1 A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005,"— Presentation transcript:

1 1 A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005, San Diego, California Feb. 4, 2005

2 2 The Problem Principle of Least Privilege Principle of Least Privilege –Software should run only with the privileges necessary to accomplish the task. Reality of Windows systems Reality of Windows systems –Most users run all the time as members of the Administrators group (a.k.a. Admins, root in UNIX). –Security threats increased: compromise of user application a system compromise E.g., buffer overflow in Instant Messenger E.g., buffer overflow in Instant Messenger –Many Windows applications require admin privileges when they shouldnt (least privilege incompatibility, or LPI).

3 3 Least Privilege Incompatible Apps Bob the Builder (a kids game) Bob the Builder (a kids game) Window Clock/Calendar Window Clock/Calendar

4 4 Least Privilege Incompatible Apps RAS, a Virtual Private Network (VPN) software RAS, a Virtual Private Network (VPN) software RAZZLE (the build environment for many Microsoft products) RAZZLE (the build environment for many Microsoft products)

5 5 TurboTax TurboTax Microsoft Greetings Microsoft Greetings Diablo II. Unable to detect the Play Disc? Diablo II. Unable to detect the Play Disc? A Microsoft Knowledge Base article reports 188 least-privilege incompatible applications A Microsoft Knowledge Base article reports 188 least-privilege incompatible applications Least Privilege Incompatible Apps

6 6 Project Goal Develop a tracer… Develop a tracer… –To identify the causes of LPIs … –So that they can be more easily fixed by developers or sysadmins –Provide enough clues that make a hard problem easy. Address developers challenges Address developers challenges –Impractical to get deep insights to the entire code base of a commercial software. Should pinpoint failing code. –Libraries encapsulate system calls invoking security checks. Most libraries are in binary form. Should identify low level security failures, not opaque library failures. –Applications can have many LPIs. Should minimize number of test runs to fix all of them. Also helps sysadmins! In many cases, can mitigate LPIs through harmless system policy changes. Also helps sysadmins! In many cases, can mitigate LPIs through harmless system policy changes. –E.g., change the Access Control List (ACL) of files and registry keys.

7 7 Windows Security Subsystem Data structure: token (security context) Data structure: token (security context) Complete Set of Checking Functions in Security Subsystem Complete Set of Checking Functions in Security Subsystem –SID-Compare: Can be used to check Am I an admin? –Access-Check/Reference-Object: Do I have the permissions to open an object handle / perform operations on an opened handle? –Adjust-Privilege/Privilege-Check: Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the system)? Why not just monitor at syscall level? Why not just monitor at syscall level? –System call interface is enormous –Syscalls can be stateful; Security subsystem is stateless (crucial ingredient in noise filtering).

8 8 Overview of the Tracing Technique Run app with Admin privileges Start tracing stop tracing Log of possible causes of least-privilege incompatibilities Run app without Admin privileges Start validation stop validation Security Check Monitor and Noise Filter (tracing mode) Security check event logger Intercept every security check call, determine whether it succeeds, but would fail if a non-admin invoked it. Use statelessness Security Check Monitor and Noise Filter (validation mode) Deliberately make a subset of the logged security checks succeed when they normally would fail.

9 9 Evaluations with Real Examples Goal of evaluation is to demonstrate that… Goal of evaluation is to demonstrate that… Tracer makes LPIs easy to understand Tracer makes LPIs easy to understand Fixing the LPIs becomes substantially easier Fixing the LPIs becomes substantially easier Most LPIs are simply bugs Most LPIs are simply bugs Bottom line: LPI problem is solvable Bottom line: LPI problem is solvable

10 10 Case 1: Bob The Builder Third party application. Unable to perform the operation because of insufficient privilege. Which operation? Why require admin privileges? Third party application. Unable to perform the operation because of insufficient privilege. Which operation? Why require admin privileges? Tracing Tracing –4002 security checks were performed to check against the user token; 884 checks failed; 899 checks would fail if they were performed by non-admin users. –The log contains only 899 – 884 = 15 entries, among which only 5 entries are distinct.

11 11 Type of Check Process Image Object Name Desired Access Granted Access Max access for regular users Reference- Object Automenu \REGISTRY\HKEY_LOCAL_MACHINE\ SOFTWARE\BBC Multimedia\Bob the Builder\ x000020xf003f0x Access- Check explorer \Program Files\THQ\Bob the Builder\StartBTB.exe 0x x x1200a9 Access- Check explorer\WINDOWS\explorer.exe0x x x1200a9 explorer\WINDOWS\system32\mydocs.dll0x x x1200a9 explorer\WINDOWS\system32\shell32.dll0x x x1200a9 Run as non-admin

12 12 Case 2: RAS (Remote Access Service) RAS sets up a Virtual Private Network (VPN) to connect to corporate network. RAS sets up a Virtual Private Network (VPN) to connect to corporate network. Least-privilege incompatibility encountered. Least-privilege incompatibility encountered. The tracer logged 7 entries out of 2566 security checks on the user token. The tracer logged 7 entries out of 2566 security checks on the user token. The cause (one of the 7 logged entries) hides deep in the call stack. Not intuitive. The cause (one of the 7 logged entries) hides deep in the call stack. Not intuitive. The RAS process Get_EnumEveryConnection in HNETCFG.dll (Home Networking Configuration Manager) CheckTokenMembership in ADVAPI32.dll Access-Check in kernel Developers response: RAS needs to migrate existing connections to the VPN The only API for enumerating network connections is Get_EnumEveryConnection, privileged. Solution: RAS should only migrate the current users connections.

13 13 Case 3: Microsoft Greetings checks performed for user permissions. 37 entries in the log checks performed for user permissions. 37 entries in the log. Encountered 5 LPIs along the code path. Encountered 5 LPIs along the code path. –1 due to SID-Compare –1 due to \Program Files\Microsoft Picture It! PhotoPub\pidocob.dll –3 due to \REGISTRY\HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Picture It!\* Strength of the tracing technique: logging all causes requires only one test run. Strength of the tracing technique: logging all causes requires only one test run.

14 14 Increasingly Obscure Error Messages Remove the first LPI Remove the second LPI Remove the other 3 LPIs

15 15 Case 4: Diablo II 1573 checks on the user token. 3 entries in the log checks on the user token. 3 entries in the log. Misleading error message (as if there was no disc in the CD drive) Misleading error message (as if there was no disc in the CD drive) Only one entry about CDROM: Game.exe checks the access to \Device\CdRom0 Only one entry about CDROM: Game.exe checks the access to \Device\CdRom0 Make the Access-Check on \Device\CdRom0 succeed

16 16 Other Example Applications Windows Clock/Calendar Windows Clock/Calendar –rundll32.exe fail to enable SystemTime privilege (Adjust-Privilege) Windows Power Options Windows Power Options –Access-Check failure on the registry key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Controls Folder\PowerCfg TurboTax TurboTax –TurboTax checks the admins group membership by SID-Compare Razzle (a build environment tool) Razzle (a build environment tool) –Access-Check failure on the root directory of the source code.

17 17 Summary We validate the effectiveness of the tracing technique by many real applications. We validate the effectiveness of the tracing technique by many real applications. –Applications span a variety of user types. –Applications exhibit a variety of reasons for the LPIs. –Our technique catches all causes of LPIs on exercised code paths. As a dynamic tracing technique, it cannot identify the LPIs not exercised. Fixing or mitigating LPIs becomes significantly easier. Fixing or mitigating LPIs becomes significantly easier.

18 18 Future Directions Usability enhancements Usability enhancements –Driver instead of modified kernel, –Automatically set breakpoints at the security checks responsible for least-privilege incompatibilities (integrated in debuggers) –Configuration utility for sysadmins. Further research on permission failures Further research on permission failures –Security failures involving networked applications –Apply techniques to other OS platforms?


Download ppt "1 A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Wang NDSS 2005,"

Similar presentations


Ads by Google