1 / 21

Demystifying the Setuid API: A Formally Constructed Model

This study dissects the complex Setuid API, addressing semantic pitfalls and vulnerabilities in Unix systems. See how a Finite State Automaton model helps clarify and verify precise semantics. Find and address documentation errors and inconsistencies in different OS kernels for improved security in Unix programming.

jpankratz
Download Presentation

Demystifying the Setuid API: A Formally Constructed Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International

  2. The Setuid API • User ID model: the basis for access control in Unix • Each process has three user IDs: • ruid: the real user ID • euid: the effective user ID • suid: the saved user ID • The setuid API offers these system calls: • setuid, seteuid, setreuid, setresuid

  3. The Mystery • Which user IDs does setuid(x) set? • FreeBSD: always ruid=euid=suid=x • Linux/Solaris: always euid=x, sometimes ruid=suid=x • Do these calls always succeed? • setuid ( geteuid ( ) ) • May fail in Linux and Solaris • seteuid ( geteuid ( ) ) • May fail in FreeBSD • setreuid ( geteuid ( ) , getuid ( ) ) • May fail in FreeBSD

  4. The Problems • Semantic mess • Design: confusing, surprising • Portability: semantic differences among OSs (e.g. Linux, Solaris, FreeBSD) • Documentation: incomplete, inaccurate, or incorrect • Reason: historical artifacts • Vulnerabilities • Sendmail 8.10.1 and 8.12.0, etc.

  5. Outline: Demystify the Setuid API • Identify the precise semantics • Use a formal model • Build the model automatically by state space exploration • Check for • Semantic pitfalls • Documentation errors • Inconsistency in OS kernels • Proper use of API calls in programs • Propose guidelines

  6. Formal Model of the Setuid API • Finite State Automaton (FSA) model • States: describing the user IDs of a process • Transitions: describing the semantics of the setuid API calls Abstraction 0: root uid 1: a non-root uid ruid=1 euid=1 suid=1 setuid(1) ruid=1 euid=0 suid=0 seteuid(0) ruid=1 euid=1 suid=0 seteuid(1)

  7. Construct the FSA • Challenge • Large number of transitions • Manual construction is laborious, error-prone • Solution • Automatic construction by a state space explorer: • Exhaustively makes all setuid API calls at each state of the FSA • Observes the resulting transitions

  8. ruid=0 euid=0 suid=0 ruid=1 euid=1 suid=1 ruid=0 euid=0 suid=1 setuid(1) ruid=0 euid=1 suid=0 setuid(0) ruid=1 euid=1 suid=0 setuid(1) seteuid(1) setuid(0) seteuid(0) ruid=0 euid=1 suid=1 ruid=1 euid=0 suid=1 ruid=1 euid=0 suid=0

  9. FSAs for setuid transitions Linux FreeBSD

  10. FSA for setresuid in Linux

  11. Benefits of Using Formal Model • Correctness • Intuition: the transitions in the FSA are observed from running programs • Efficiency • The FSA is constructed automatically by the explorer • Portability: the explorer is portable to • Different Unix systems • Different versions of kernels • Lots of applications!

  12. Find Documentation Errors • Incomplete man page • setuid(2) in Redhat Linux 7.2:fails to mention the Linux capabilities which affect how setuid() behaves • Wrong man pages • FreeBSD 4.4Unprivileged users may change the ruid to the euid and vice versa • Redhat Linux 7.2The setgid function checks the egid of the caller and if it is the superuser, … suid euid

  13. Detect Inconsistencies in OS Kernel • File system uid (fsuid) in Linux • Is used for filesystem permission checking • Normally follows euid • An invariant in Linux 2.4.18 (kernel/sys.c) • fsuid is 0 only if at least one of ruid, euid, suid is 0 • Security motivation • Root privilege in fsuid is automatically dropped when it is dropped from ruid, euid, suid • Ensures that an fsuid-unware application can safely drop root privilege in fsuid

  14. Detect Inconsistencies in OS Kernel (contd.) • A bug in Linux kernels <= 2.4.18 breaks the invariant • The bug is in setresuid() • We found the bug using the formal model • Our patch was applied to kernel 2.4.19 • Lessons • Security design is difficult to get right • Formal models are very useful in verifying security models

  15. Check Proper Usage of the Setuid API in Programs • Questions • Can a setuid API call fail in this program? • Can this program fail to drop privilege? • Which part of this program run with privilege? • Approach • Model checking security properties in programs using the FSA of the setuid API • Results • Found known setuid bugs in sendmail 8.10.1 and 8.12.0

  16. Guidelines • Use setresuid where available • Explicit, clear semantics • Transactional(vs. setuid which is not transactional) • Obey the proper order of API calls • Drop group privileges before user privileges

  17. Guidelines (contd.) • Check for errors • Check return code • Verify user IDs are as expected after API calls (because some calls are not transactional) • Verify failuresHow to permanently drop privileges confidently? • Drop privilege • Try to regain privilege • Ensure that Step 2 fails

  18. Related Work • Unix man pages • Chris Torek and Casper Dik. Setuid Mess • Matt Bishop. How to write a setuid program • Timothy Levin, S. Padilla, Cynthia Irvine.A Formal Model for UNIX Setuid

  19. Conclusion: Setuid Demystified • We’ve identified the precise semantics • Use an FSA model • Built the model automatically by state space exploration • Formal models revealed pitfalls and bugs • We discovered semantic pitfalls • We found new documentation errors • We detected the fsuid bug in the Linux kernel • We verified the proper use of setuid API in some programs • Follow our guidelines for the setuid API

  20. Further Information http://www.cs.berkeley.edu/~hchen/research/setuid/

  21. FSA for setreuid in Linux

More Related