View
221
Download
0
Category
Preview:
Citation preview
Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks
Massimo BernaschiEmanuele Gabrielli
Luigi V. Mancini
Outline Introduction Problem analysis The Access Control Database The reference functions Performance Conclusion
Introduction Approach
Require minimal additions to the kernel code
Neither changes to the syntax and semantics
Neither modifications of existing kernel data structures and algorithm
No change in source code No special compiling procedure is
required
Introduction (Cont.) Access Control Database (ACD)
To reduce the cost of the checks A detailed analysis of privileged
applications and system calls is carried out.
Buffer Overflow Execute fake instruction
Protection against buffer overflow
Problem analysis Privileged Process System calls analysis
Privileged processes Interactive
Real user identifer ( UID ) Effective user identifer ( EUID ) System Administrator = ( both UID and E
UID == 0 ) Prevent privileged process from migratin
g to this category
Privileged processes ( Cont. ) Background
Like daemon or cron daemon !((proc)->euid) && ((proc)->tty==NULL) First check if euid == 0 Second check if tty == NULL, because dae
mon need not control terminal Block any attempt made by there proces
ses to re-acquire a control terminal
Privileged processes ( Cont. ) Setuid
The effective UID of the process is set equal to the UID of the program file owner
!((proc)->euid)&&(proc)->uid A process can be identified as setuid to ro
ot ( EUID == 0 )
System calls analysis
System calls analysis ( Cont. )
System calls analysis ( Cont. )
The Access Control Database
The Access Control Database
The Access Control Database execve_acd is composed by two array
of eflst_t structures: admitted:只有列在此 list 中的特權程式才可被執行
failure:keeps a log of unauthorized attempts of invoking execve by any setuid process.
The Access Control Database
The Access Control Database Add a new system call sys_setuid_aclm for r
eading and modifying the information kept in the ACD
Through a command aclmng to manage information kept in the ACD -l list the contents of ACD kept in kernel space -L load in kernel space the ACD from file -w writes the ACD from kernel space into file default with no options, -l is assumed
The reference functions execve setuid chmod
Execve
Execve ( Cont. ) check_rootproc() return EXENA or EF
NA EXENA: 表示這個行程中所執行的程式並沒有列在 ACD 當中
EFNA: 表示檔案無法通過 ACD的認證 , 如檔案修改日期時間沒有符合
Check_rootproc()
Setuid If setuid(0), then enforce to type corre
ct root password kept in ACD If no match, invocation is denial
chmod chmod +s –p /program1 /program2 fo
o Allows the setuid program foo to exec
ute program1 and program2. Check filename is kept in ACD
Performance Pentium II 128MB Ram Linux Kernel 2.2.12 Repeat 40 times Sendmail Lpr Rsync X server
Performance ( Cont )
Conclusion 優點
多一層防護 , 比較安全 Kernel 做 , 執行速度佳
缺點 更改 kernel, 但是 kernel 的版本會一直改
變 機制不夠健全 ( 感覺上 , 未實際去想例子 )
Recommended