Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,

Published byBrittney McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,"— Presentation transcript:

1 1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California, USA August 5-9, 2002

2 2 Outline Identified problems of SETUID –What is SETUID –SETUID mystery and problems Provided solution –Use a formal model –Build the model automatically by state space exploration Demonstrated Applications of FSA –Understanding semantics of security operation API precisely –Verifying Documentation –Detecting Inconsistency in OS kernels –Checking Proper use of API calls in programs Proposed guidelines

3 3 What is setuid Access control in Unix is based the User ID model Each process has 3 user Ids: –Real uid (ruid) –Effective uid (euid) –Saved uid (suid) Uid-setting system calls –setuid() seteuid() setreuid() setresuid()

4 4 Historical Artifacts Early Unix Two user IDs: ruid and euid. Only one system call : setuid Rules: System V Three user IDs: ruid, euid and suid Two system call: setuid and seteuid Rules: BSD Three user IDs: ruid, euid and suid System call: setuid, seteuid, and setreuid Rules: Modern Unix Three user IDs: ruid, euid and suid System call: setuid, seteuid, setreuid and setresuid Rules: Different system had different semantics !!!

5 5 The Problems Semantic mess –Design: confusing, surprising –Portability: semantic differences among OSs (e.g. Linux, Solaris, FreeBSD) –Documentation: incomplete, inaccurate, or incorrect

6 6 Objective Understanding the semantics of security operation API in OS precisely Verifying their documentations Detecting inconsistency in OS kernels Building security properties and checking them in programs automatically

7 7 Formal Model of the Setuid API Finite State Automaton (FSA) model –States: describing the user IDs of a process –Transitions: describing the semantics of the setuid API calls ruid=1 euid=0 suid=0 ruid=1 euid=1 suid=1 ruid=1 euid=1 suid=0 setuid(1) seteuid(1) seteuid(0) Abstraction 0: root uid 1: a non-root uid

8 8 Construct the FSA Challenge –Large number of transitions –Manual construction is laborious, error-prone Solution –Automatic construction by a state space explorer: Exhaustively makes all setuid API calls at each state of the FSA Observes the resulting transitions

9 9 Determine Transitions Automatically by Simulation Idea: Exhaustively make all system calls at each state For each state s=(ruid, euid, suid) where ruid, euid, suid  {0, uid 1, uid 2, …} For each system call c  {setuid(e), seteuid(e), setreuid(r,e), setresuid(r,e,s)} { Make the system call c in the state s Observe the ensuing state s’ Add the transition }

10 10 Linux FreeBSD FSAs for setuid transitions

11 11 FSA for setresuid in Linux

12 12 Benefits of Using Formal Model Correctness –Intuition: the transitions in the FSA are observed from running programs Efficiency –The FSA is constructed automatically by the explorer Portability: the explorer is portable to –Different Unix systems –Different versions of kernels Lots of applications!

13 13 Applications : Find Documentation Errors Incomplete man page –setuid(2) in Redhat Linux 7.2: fails to mention the Linux capabilities which affect how setuid() behaves Wrong man pages –FreeBSD 4.4 Unprivileged users may change the ruid to the euid and vice versa –Redhat Linux 7.2 The setgid function checks the egid of the caller and if it is the superuser, … suid euid

14 14 Applications : Detect Inconsistencies in OS Kernel File system uid (fsuid) in Linux –Is used for filesystem permission checking –Normally follows euid An invariant in Linux 2.4.18 ( kernel/sys.c ) –fsuid is 0 only if at least one of ruid, euid, suid is 0 Security motivation –Root privilege in fsuid is automatically dropped when it is dropped from ruid, euid, suid –Ensures that an fsuid-unware application can safely drop root privilege in fsuid

15 15 Applications : Detect Inconsistencies in OS Kernel (contd.) A bug in Linux kernels <= 2.4.18 breaks the invariant –The invariant is satisfied in setuid(), seteuid(), setreuid() –But it is broken in setresuid() – fsuid = 0 and ruid != 0, euid != 0, suid != 0 is reachable (figure2) The bug has been confirmed by Linux community

16 16 Check Proper Usage of the Setuid API in Programs Questions –Can a setuid API call fail in this program? –Can this program fail to drop privilege? –Which part of this program run with privilege? Approach –Model checking security properties in programs using the FSA of the setuid API Results –Found known setuid bugs in sendmail 8.10.1 and 8.12.0

17 17 A Vulnerability in Sendmail Due to A Misuse of setuid.

18 18 General Guidelines (1) Selecting an Appropriate System Call setresuid has a clear semantics and is able to set each user ID individually, it should always be used if available. Otherwise, to set only the effective uid, seteuid(new euid) should be used; to set all three user IDs, setreuid(new uid, new uid) should be used. setuid should be avoided because its overloaded semantics and inconsistent implementation in different Unix systems may cause confusion and security vulnerabilities for the unwary programmer.

19 19 General Guidelines (2) Obey the proper order of API calls –Drop group privileges before user privileges

20 20 General Guidelines (3) Verifying Proper Execution of System Calls Checking Return Codes Verifying User IDs Verifying Failures

21 21 An Improved API for Privilege Management – The API contains three functions: Drop_priv_temp(new uid): Drop privilege temporarily. Move the privileged user ID from the effective uid to the saved uid. Assign new uid to the effective uid. Drop_priv_perm(new uid): Drop privilege permanently. Restore_priv: Restore privilege. –Beneficial properties It does not affect the real uid. It guarantees that all transitions in Figure 13 succeed. It verifies that the user IDs are as expected after each uid-setting system call.

22 22 Conclusion Identified the precise semantics –Use an FSA model –Built the model automatically by state space exploration Formal models revealed pitfalls and bugs –Discovered semantic pitfalls –Found new documentation errors –Detected the fsuid bug in the Linux kernel –Verified the proper use of setuid API in some programs ( sendmail 8.10.1 and 8.12.0 ) Proposed guidelines for the setuid API

Download ppt "1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,"

Similar presentations

Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
P5, M1, D1.

P5, M1, D1.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.

API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics.

CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics.
CS252: Systems Programming Ninghui Li Based on Slides by Prof. Gustavo Rodriguez-Rivera Topic 17: Signals, Process Credentials.

CS252: Systems Programming Ninghui Li Based on Slides by Prof. Gustavo Rodriguez-Rivera Topic 17: Signals, Process Credentials.
Chapter 6: Design of Expert Systems

Chapter 6: Design of Expert Systems
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,

1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh.

Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Security David Wagner University of California at Berkeley.

Software Security David Wagner University of California at Berkeley.
SE 555 Software Requirements & Specification Requirements Validation.

SE 555 Software Requirements & Specification Requirements Validation.
1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.

1 Model Checking One Million Lines of C Code Hao Chen Drew Dean (SRI International) David Wagner with David Schultz, Geoff Morrison, Ben Schwarz Jacob.
1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.

1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

Similar presentations

Ads by Google