Implementing a secure setuid program

Setuid programs are often exploited by malicious attackers to obtain unauthorized access to local systems. Setuid programs, especially owned by the root user, are granted root privileges, allowing attackers to gain root privileges by exploiting vulnerabilities in the setuid-root programs. The vulnerabilities usually lie in code that does not require root privileges. Nevertheless, the entire code of setuid-root programs is granted root privileges. This paper presents a scheme called privileged code minimization that reduces the risk to setuid programs. In this scheme, setuid-root programs are divided into privileged code and non-privileged code. Privileged code is granted root privileges, while non-privileged code is not. This scheme reduces the size of trusted computing base (TCB) because it reduces the code running with root privileges, reducing the chances of attackers gaining root privileges by subverting setuid programs. Protection between privileged code and nonprivileged code are enforced by fine-grained protection domains: a novel protection mechainsm of the operating system proposed by the authors.

[1]  Takahiro Shinagawa,et al.  Exploiting Segmentation Mechanism for Protecting against Malicious Mobile Code , 2000 .

[2]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[3]  Matt Bishop How To Write a Setuid Program , 2001 .

[4]  Richard L. Sites,et al.  Alpha AXP architecture reference manual , 1995 .

[5]  Klaus Erik Schauser,et al.  Consh: Confined Execution Environment for Internet Computations , 1998 .

[6]  Corporate SPARC architecture manual - version 8 , 1992 .

[7]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[8]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[9]  Tzi-cker Chiueh,et al.  Integrating segmentation and paging protection for safe, efficient and transparent software extensions , 1999, SOSP.

[10]  Lincoln Stein,et al.  The Advanced Computing Systems Association Sbox: Put Cgi Scripts in a Box Sbox: Put Cgi Scripts in a Box , 2022 .

[11]  Corporate Ieee,et al.  Information Technology-Portable Operating System Interface , 1990 .

[12]  Takashi Masuda,et al.  Minimizing Privileged Code in Setuid Programs using Fine-grained Protection Domains , 2004 .

[13]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[14]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[15]  Takashi Masuda,et al.  Efficient kernel support of fine-grained protection domains for mobile code , 1999, Proceedings. 19th IEEE International Conference on Distributed Computing Systems (Cat. No.99CB37003).

[16]  David A. Wagner,et al.  Setuid Demystified , 2002, USENIX Security Symposium.

[17]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[18]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[19]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[20]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[21]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[22]  Greg Law A new protection model for component-based operating systems , 2000, Conference Proceedings of the 2000 IEEE International Performance, Computing, and Communications Conference (Cat. No.00CH37086).

[23]  Massimo Bernaschi,et al.  Operating system enhancements to prevent the misuse of system calls , 2000, CCS.

[24]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].