MR201404 building secure linux application with privilege separation

739 views
593 views

Published on

• Privilege separation limits incursion into your application
• Show key technology of privilege separation as follows:
– Process dividing
– Process sandboxing
– Inter-process communications
• Seccomp Mode 2 is state-of-the-art of Linux sandboxing
• Some security-critical open source software has been armed process diving and sandboxing
• Privilege separation increases security, but a development cost increase again

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
739
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

MR201404 building secure linux application with privilege separation

  1. 1. FFRI,Inc. 1 Monthly Research Building Secure Linux Application With Privilege Separation FFRI, Inc http://www.ffri.jp Ver 1.00.02
  2. 2. FFRI,Inc. 2 Background • Privilege separation is a key technology to achieve “Principle of least privilege” • In secure programming: – Privilege separated application limits an impact of a vulnerability – Real world application • tcpdump, vsftpd, OpenSSH, Google Chrome
  3. 3. FFRI,Inc. 3 Privilege Separation • A design of secure application architecture – Dividing execution units and minimizing privilege each process – Attacker obtains only few privileges even if the exploit is successful • Merit of privilege separated server application – Strong user isolation in multi-user service – Limited intruder hostile action on internet services • Merit of privilege separated client application – Secure execution environments for untrusted remote script like javascript • e.g. Web browser needs a lot of privileges while running untrusted remote script
  4. 4. FFRI,Inc. 4 Key Technology • Process dividing – Dividing a process into some processes • Process sandboxing – Granting least privilege to each process • Inter-process communication(IPC) – For inter-communication between divided processes – In Linux: Pipe, POSIX Shared memory, Unix domain socket…
  5. 5. FFRI,Inc. Process Dividing • To separate between privilege required processing(like process management) and sensitive processing – Divided processes communicate using IPC 5 Worker process Master Process Communication with pipes, shared memory, unix domain socket… Process Ambient authority: the process may read, write, fork… Sensitive processing Privilege required processing Privilege required processing Sensitive processing Process Dividing
  6. 6. FFRI,Inc. Example: OpenSSH • OpenSSH daemon spawns privileged worker process per session – Authentication processing and authenticated user processing execute in the non-privilege process 6 Daemon Process Pre-authenticate Process (no-privilege) User Owned sshd Process (user privilege) Privileged Monitor Process Unauthorized client Privileged Monitor Process Authorized client Sandboxed processes Worker processes The master process Spawn each connection Spawn with specific processing
  7. 7. FFRI,Inc. Sandboxing on Linux • Access Control based sandboxing – Using Discretionary Access Control(DAC) • UID, Permissions – Using Mandatory Accesss Control(MAC) • SELinux, AppArmor – Using Namespace • Chroot • Capability based sandboxing – Linux kernel capabilities(based on POSIX Capability) – Linux secure computing mode • State-of-the-art of sandboxing on Linux 7
  8. 8. FFRI,Inc. Linux Secure Computing Mode(seccomp) • Secure computing mode process renounces execution privileges of system calls – Developer has to concern themselves about “least privilege” design • Seccomp Mode 1 (Available since Linux 2.6.12~) – Mode 1 permits only read(), write(), exit(), sigreturn() • Seccomp Mode 2 (Available since Linux 3.5~) – Mode 2 can configures permit/denied system calls 8
  9. 9. FFRI,Inc. 9 Seccomp Mode 2(a.k.a. Seccomp-bpf) • Seccomp Mode 2 filtered out violated system calls at system call execution – Kernel calls bpf(Berkeley packet filter) backend with translated bpf filter program – Seccomp Mode 2 configuration forces developer to describe bpf-program __NR_read Bpf Bpf program BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) … BPF_DATA struct seccomp_data sd { .nr = 0x63; // __NR_Read .arch = 0x40000003; //i386 … } Kernel space User space read() Return error if filtered out by bpf Execute allowed system call only
  10. 10. FFRI,Inc. 10 Case study • tcpdump – Reducing own privilege • the process not divided • vsftpd – Restricted accounts in multi-user services • Google Chrome – Running script engine with untrusted code
  11. 11. FFRI,Inc. tcpdump • tcpdump dropped own privileges before actual packet filtering • Sandboxing is achieved due to change own user from privileged to non-privileged user 11 ./tcpdump Capturing & filtering (sandboxed) Chroot() Initializing
  12. 12. FFRI,Inc. vsftpd • Remote user restricted action with own privilege – If user needs privilege action, child process calls privileged process's function – Reinforcing sandbox with Seccomp Mode 2 since version 3.0.0 12 Vsftpd Daemon Child process (unprivileged) Dropping almost capabilities and restricting system calls Fork() per session Requesting privileged operations - Login - Chown() - New socket
  13. 13. FFRI,Inc. Google Chrome 13 Browser Process Renderer Process (sandboxed) GPU Process (sandboxed) Renderer Process (sandboxed) • Renderer separates main process and its sandboxing – Because renderer executes untrusted remote script IPC
  14. 14. FFRI,Inc. Suitable a part of program for privilege separation • Parser with untrusted data – e.g. Packet filtering • Interpreter with untrusted code – e.g. javascript engine • Authentication processing on multi-user service 14
  15. 15. FFRI,Inc. Concerns • Increase complexity of source code by process dividing • Decrease portability by sandboxing – A number of privilege separation related component depends on OS environment • Process management, DAC/MAC, capabilities, IPCs.. • Deteriorate memory space effectiveness – Divided processes consume memory larger than a single process application 15
  16. 16. FFRI,Inc. Conclusion • Privilege separation limits incursion into your application • Show key technology of privilege separation as follows: – Process dividing – Process sandboxing – Inter-process communications • Seccomp Mode 2 is state-of-the-art of Linux sandboxing • Some security-critical open source software has been armed process diving and sandboxing • Privilege separation increases security, but a development cost increase again 16
  17. 17. FFRI,Inc. References • Syscall Filters https://fedoraproject.org/wiki/Features/Syscall_Filters • The Chromium Projects: Design documents http://dev.chromium.org/developers/design-documents/ • Using simple seccomp filters http://outflux.net/teach-seccomp/ • Vsftpd https://security.appspot.com/vsftpd.html • OpenSSH http://www.openssh.com/ • Preventing Privilege Escalation[Niels Provos et al, USENIX Security 2003] http://niels.xtdnet.nl/papers/privsep.pdf • Capsicum[Robert R.M.W et al, USENIX Security 2010] http://static.usenix.org/event/sec10/tech/full_papers/Watson.pdf 17
  18. 18. FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter: @FFRI_Research 18

×