• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

CBOSS: High-Security Applications

This initiative developed Privman, a practical privilege management toolkit. Privman makes it easy for software developers to partition privilege. Privman managed programs can enforce fine-grained least-privilege even in applications that need some root privilege.

In this research, we provide a practical UNIX privilege management framework for structuring (or restructuring) critical application programs to prevent privilege-misuse.

Privilege-misuse, particularly in network servers, is implicated in most attacks that do serious damage. Essentially, a "healthy" program receives user commands and accesses resources according to the application's intended logic. An attack inserts malicious logic into an application, thus allowing the attacker to use, or misuse, the application's privileges (i.e., access to its legitimate resources). In the most common and devastating form of this attack, the attacker inserts the malicious logic into a root-privileged process and subverts the entire "victim" system or network.

This task has three central goals:

Prevent Privilege-misuse in the Short Term

We will demonstrate effective privilege management for critical UNIX applications during the initial CHATS phase (i.e., in 14 months, by September 2002). For maximum effect, we will focus our attention on widely deployed, critical applications that have in the past been vulnerable to attack: web servers, FTP servers, remote login facilities, etc.

Demonstrate Practical Techniques Consistent with Open Source Development Practices

Our privilege management support software will be Open Source, and our privilege management techniques will stress simplicity and the use of existing UNIX facilities with which the Open Source community is familiar.

Maximize Community Acceptance by Maintaining Compatibility/Performance

Software restructured using our techniques will be 100% compatible with existing Open Source kernels. This compatibility will allow our techniques to be selectively applied, service by service, and then incrementally deployed in the Open Source community. Our techniques will not substantially degrade performance.

The core of the privilege-misuse problem is that applications are not structured to manage their use of privilege. Historically, this reflects the lack of a privilege management framework, and corresponding support services. A number of systems have used access control techniques [BRA99, SHA99, BOE85, BAD96, CLA87] in an attempt to impose privilege management on applications. Unfortunately, these techniques have been limited in their effectiveness because the access controls must always grant to the entire application all privileges required for any part of the application to run: this results in surplus privileges during most or all of a typical application's lifetime. As a consequence, application developers are always left to "roll their own" privilege management, using a hodgepodge of techniques. Open Source software presents a unique opportunity to address this deficiency.

In its most generic form, privilege management is extremely complex and costly. Through a study of selected system services, however, we have formulated an approach to provide effective, and relatively simple, privilege management for UNIX programs. Our approach focuses on minimizing the need to run application logic with the root privilege. Running applications with the root privilege exposes systems to devastating privilege-misuse attacks based on exploiting inevitable software flaws in applications, for example, buffer overflows, format bugs, configuration errors, and design flaws.

Four typical reasons that system programs require privilege are:

Accessing Privileged Ports

Network service applications often need access to low-numbered TCP and UDP communications ports. The need to obtain such ports is a primary reason for running most standard networking services (e.g., FTP, web, login, mail) as root.

Accessing Protected Files

Many applications require access to protected configuration files, or need the ability to write to user home directories. This requirement often forces these applications to run as root.

Becoming A Different User

Network service applications frequently perform jobs "on behalf of" normal users. Consequently, such applications must have the ability to become any normal user. Because becoming a different user requires the root privilege, these applications run as root until they can determine which user to become.

Changing the Process Root ("/") Directory

The "chroot" feature is a rudimentary UNIX security mechanism that limits an application's ability to locate files on a system. This mechanism often improves security, but the root privilege is needed to use it.

In conventional software, a vast amount of complex (i.e., problem-prone) code runs as root for one or more of these reasons. In many cases, a critical application will run as root for an extended period of time, performing extremely complex processing on user supplied input, simply because it may eventually need the root privilege for one of these reasons. This dramatically increases the damage if any of the complex logic is wrong and can be exploited by an attacker.

This research will restructure applications so that they can function normally even though they never get the root privilege. Using current technology, it is not feasible to partition applications. We will develop the three missing ingredients:

• a privilege server that mediates access to specific operations on behalf of privilege-managed applications,
• support libraries that facilitate the task of interacting with the privilege server.
• an analytic basis for employing these support components to structure (or restructure) application-layer software for privilege management.

To validate our results, we will apply these techniques to the Washington University FTP daemon (WU-FTP). Many thousands of Internet sites use WU-FTP to provide file transfer services to the Internet. As a consequence, subtle errors in WU-FTP have had serious security costs, and many attacks have used WU-FTP to obtain root access on victim machines. We will demonstrate that this software (20,000 lines of C code) can be adapted for privilege management and run without the root privilege. As resources allow, we will apply our restructuring techniques to other important programs such as Apache and BIND.

webmaster@opensource.nailabs.com