OSCAR Lab

Obviating Setuid-to-root Binaries

Protego: Practical Techniques to Obviate Setuid-to-Root Binaries

What is Protego?

Protego is a linux variant based on Ubuntu that never raises the privilege of an user that isn't the administrator. Specifically, Protego removes the need for utilities that are setuid-to-root. Protego currently de-privileges 12,732 lines of code in trusted setuid-to-root binaries by changing just 715 lines of kernel code.

What are setuid-to-root binaries?

On Linux, whenever an application is executed, it runs with the privilege of the user running the application. But, there is a special setuid permission bit which if enabled on a binary, it runs with the privilege of the owner instead of the user running the application. Thus, setuid-to-root binaries are the binaries owned by root and setuid permission bit set. So these binaries run with the root privilege.

Setuid-to-root binaries are generally used to adjust a coarse kernel security policy to match the expectation of the system administrator. As a simple example, mount is setuid-root to allow non-root users to mount removable media at safe locations, as specified in /etc/fstab using the user or users option.

What is the problem with setuid-to-root binaries?

Setuid binaries often violate the least privilege principle (LPP), which can lead to a privilege escalation attack vector. For instance, if mount has an exploitable input parsing bug, this can be used to gain root over the entire system.

Our Goal: Obviate setuid-root

This project investigates whether there are simple alternatives to the setuid bit that never require a non-administrator user to escalate privilege, thereby obviating the need for non-administrator users to ever raise privilege or invoke a trusted binary.

We drive this work with a study of how setuid-to-root is used in practice in Debian/Ubuntu ecosystem. For each setuid binary, we identify the system interfaces that require privilege, and identify the policies encoded in the binary. Then, we identify a simpler mechanism to enforce the same policies in the kernel, with simple extensions to the AppArmor Linux Security Module.

Current Status

We have carefully studied 28 setuid-to-root binaries. According to the Debian and Ubunty "popularity contest" results, this set includes all binaries installed on more than 10.5% of systems surveyed.

There are an additional 91 binaries packaged and distributed by Ubuntu, and testing that these work on Protego is ongoing work. Based on documentation, most of these use interfaces Protego has already addressed, but check back later for updates.

What principles is Protego based on?

The primary observation of the Protego project is that the most common uses of setuid are to export safe subsets of otherwise privileged functionality, and that there is a mismatch between kernel policies and common system policies. Although the privilege escalation issues can be mitigated with finer-grained privilege management, we instead look for the simplest mechanism to identify and export functionality safe for any user, without managing capabilities or other advanced security models.

Protego's design follows these principles:

Protego provides object based policies for unprivileged users.
The Protego Linux kernel has simple /proc interfaces to specify system policy. For backward compatibility, system policies can be mined from legacy configuration files, such as /etc/fstab, using a trusted daemon.
In some cases, we also change the design of interfaces that needed extra privileges due to the interface design itself.
We maintain backwards compatibility from the user's and administrator's perspectives, so that there is no change in the interaction between different entities.

Although Protego extends AppArmor, the changes could easily be adopted by any LSM.

What about POSIX or Linux file system capabilities?

POSIX capabilities (a.k.a. file system capabilities) divide the root privilege into 36 different capabilities. While these capabilities enforce least privilege for the administrator so that she cannot, say, change the filesystem tree while configuring the network, these capabilities do not enforce least privilege for an untrusted user. For instance, the CAP_NET_ADMIN network capability allows a user to change routes, disable devices, set privileged socket options, and enable multi-casting.

In Protego, non-administrator user never acquires a POSIX capability.

How does this compare to SELinux?

SELinux mitigates much of the risk of privilege escalation through finer grained security policies on trusted binaries and preventing capability accumulation. Nonetheless, SELinux does not enforce least privilege on all setuid binaries. For instance, ping can forge a range of outgoing packets, even on SELinux, as the kernel still simply checks permission to create a raw socket, rather than checking that all outgoing packets are safe.

Protego identifies simple changes that Linux could adopt to mitigate this risk that do not require a sophisticated security module.

How can I learn more?

Read our recent EuroSys paper or contact us by email.

Authors: Bhushan Jain, Chia-Che Tsai, Jitin John, Donald E. Porter (PDF) (Slides) (Poster)

How to obtain Protego?

The code is released on GitHub at https://github.com/oscarlab/protego.

How to setup Protego?

Setup instructions are uploaded as a script on GitHub repository. Please refer to setup.sh.

How to report problems or get more information about Protego?

Please contact Bhushan Jain at bpjain [at] cs [dot] stonybrook [dot] edu.

What does Protego mean?

Protego is a term from Harry Potter which means a shield charm. Protego is used to block any attacking spells. More details and known uses of this spell are described here. We name our prototype as Protego because it shields the system against privilege escalation attacks that exploit setuid-to-root binaries.