Process firewalls: protecting processes during resource access

Processes retrieve a variety of resources from the operating system in order to execute properly, but adversaries have several ways to trick processes into retrieving resources of the adversaries' choosing. Such resource access attacks use name resolution, race conditions, and/or ambiguities regarding which resources are controlled by adversaries, accounting for 5-10% of CVE entries over the last four years. programmers have found these attacks extremely hard to eliminate because resources are managed externally to the program, but the operating system does not provide a sufficiently rich system-call API to enable programs to block such attacks. In this paper, we present the Process Firewall, a kernel mechanism that protects processes in manner akin to a network firewall for the system-call interface. Because the Process Firewall only protects processes -- rather than sandboxing them -- it can examine their internal state to identify the protection rules necessary to block many of these attacks without the need for program modification or user configuration. We built a prototype Process Firewall for Linux demonstrating: (1) the prevention of several vulnerabilities, including two that were previously-unknown; (2) that this defense can be provided system-wide for less than 4% overhead in a variety of macrobenchmarks; and (3) that it can also improve program performance, shown by Apache handling 3-8% more requests when program resource access checks are replaced by Process Firewall rules. These results show that it is practical for the operating system to protect processes by preventing a variety of resource access attacks system-wide.

[1]  Trent Jaeger,et al.  Integrity walls: finding attack surfaces from mandatory access control policies , 2012, ASIACCS '12.

[2]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[3]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[4]  Haibo Chen,et al.  POLUS: A POwerful Live Updating System , 2007, 29th International Conference on Software Engineering (ICSE'07).

[5]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[6]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[7]  Trent Jaeger,et al.  Consistency analysis of authorization hook placement in the Linux security modules framework , 2004, TSEC.

[8]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[9]  Shai Halevi,et al.  Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation , 2010, NDSS.

[10]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[11]  Matt Bishop,et al.  A Flexible Containment Mechanism for Executing Untrusted Code , 2002, USENIX Security Symposium.

[12]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[14]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[15]  G. F. G. O'Shea,et al.  Operating system integrity , 1991, Comput. Secur..

[16]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[17]  William S. McPhee Operating System Integrity in OS/VS2 , 1974, IBM Syst. J..

[18]  Trent Jaeger,et al.  STING: Finding Name Resolution Vulnerabilities in Programs , 2012, USENIX Security Symposium.

[19]  Thomas R. Gross,et al.  Safe Loading - A Foundation for Secure Execution of Untrusted Programs , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[21]  Tomer Hertz,et al.  Portably Solving File TOCTTOU Races with Hardness Amplification , 2008, FAST.

[22]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[23]  Nikita Borisov,et al.  Fixing Races for Fun and Profit: How to Abuse atime , 2005, USENIX Security Symposium.

[24]  Ben Niu,et al.  Enforcing user-space privilege separation with declarative architectures , 2012, STC '12.

[25]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[26]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[27]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[28]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[29]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[30]  Calton Pu,et al.  Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems , 2010, Comput. Secur..

[31]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[32]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[33]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[34]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[35]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[36]  Somesh Jha,et al.  Environment-Sensitive Intrusion Detection , 2005, RAID.

[37]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[38]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[39]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[40]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[41]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.