Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks

Massimo BernaschiEmanuele Gabrielli

Luigi V. Mancini

Outline Introduction Problem analysis The Access Control Database The reference functions Performance Conclusion

Introduction Approach

Require minimal additions to the kernel code

Neither changes to the syntax and semantics

Neither modifications of existing kernel data structures and algorithm

No change in source code No special compiling procedure is

required

Introduction (Cont.) Access Control Database (ACD)

To reduce the cost of the checks A detailed analysis of privileged

applications and system calls is carried out.

Buffer Overflow Execute fake instruction

Protection against buffer overflow

Problem analysis Privileged Process System calls analysis

Privileged processes Interactive

Real user identifer ( UID ) Effective user identifer ( EUID ) System Administrator = ( both UID and E

UID == 0 ) Prevent privileged process from migratin

g to this category

Privileged processes ( Cont. ) Background

Like daemon or cron daemon !((proc)->euid) && ((proc)->tty==NULL) First check if euid == 0 Second check if tty == NULL, because dae

mon need not control terminal Block any attempt made by there proces

ses to re-acquire a control terminal

Privileged processes ( Cont. ) Setuid

The effective UID of the process is set equal to the UID of the program file owner

!((proc)->euid)&&(proc)->uid A process can be identified as setuid to ro

ot ( EUID == 0 )

System calls analysis

System calls analysis ( Cont. )

System calls analysis ( Cont. )

The Access Control Database

The Access Control Database

The Access Control Database execve_acd is composed by two array

of eflst_t structures: admitted:只有列在此 list 中的特權程式才可被執行

failure:keeps a log of unauthorized attempts of invoking execve by any setuid process.

The Access Control Database

The Access Control Database Add a new system call sys_setuid_aclm for r

eading and modifying the information kept in the ACD

Through a command aclmng to manage information kept in the ACD -l list the contents of ACD kept in kernel space -L load in kernel space the ACD from file -w writes the ACD from kernel space into file default with no options, -l is assumed

The reference functions execve setuid chmod

Execve

Execve ( Cont. ) check_rootproc() return EXENA or EF

NA EXENA: 表示這個行程中所執行的程式並沒有列在 ACD 當中

EFNA: 表示檔案無法通過 ACD的認證 , 如檔案修改日期時間沒有符合

Check_rootproc()

Setuid If setuid(0), then enforce to type corre

ct root password kept in ACD If no match, invocation is denial

chmod chmod +s –p /program1 /program2 fo

o Allows the setuid program foo to exec

ute program1 and program2. Check filename is kept in ACD

Performance Pentium II 128MB Ram Linux Kernel 2.2.12 Repeat 40 times Sendmail Lpr Rsync X server

Performance ( Cont )

Conclusion 優點

多一層防護 , 比較安全 Kernel 做 , 執行速度佳

缺點 更改 kernel, 但是 kernel 的版本會一直改

變 機制不夠健全 ( 感覺上 , 未實際去想例子 )