skip to main content
10.1145/3545948.3545978acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article
Public Access

Decap: Deprivileging Programs by Reducing Their Capabilities

Published: 26 October 2022 Publication History

Abstract

Linux enables non-root users to perform certain privileged operations through the use of the setuid (“set user ID”) mechanism. This represents a glaring violation of the principle of least privilege, as setuid programs run with full superuser privileges—with disastrous outcomes when vulnerabilities are found in them. Linux capabilities aim to improve this situation by splitting superuser privileges into distinct units that can be assigned individually. Despite the clear benefits of capabilities in reducing the risk of privilege escalation, their actual use is scarce, and setuid programs are still prevalent in modern Linux distributions. The lack of a systematic way for developers to identify the capabilities needed by a given program is a contributing factor that hinders their applicability.
In this paper we present Decap, a binary code analysis tool that automatically deprivileges programs by identifying the subset of capabilities they require based on the system calls they may invoke. This is made possible by our systematic effort in deriving a complete mapping between all Linux system calls related to privileged operations and the corresponding capabilities on which they depend. The results of our experimental evaluation with a set of 201 setuid programs demonstrate the effectiveness of Decap in meaningfully deprivileging them, with half of them requiring fewer than 16 capabilities, and 69% of them avoiding the use of the security-critical CAP_SYS_ADMIN capability.

References

[1]
Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P Kemerlis, and Georgios Portokalidis. 2019. Nibbler: Debloating binary shared libraries. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC). 70–83.
[2]
Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. Boxify: Full-fledged app sandboxing for stock Android. In Proceedings of the 24th USENIX Security Symposium. 691–706.
[3]
Daniel P. Bovet and Marco Cesati. 2002. Understanding the Linux Kernel. O’Reilly.
[4]
David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th USENIX Security Symposium.
[5]
John Criswell, Jie Zhou, Spyridoula Gravani, and Xiaoyu Hu. 2019. PrivAnalyzer: Measuring the Efficacy of Linux Privilege Use. In Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 593–604.
[6]
cvedetails.com. 2003. Vulnerability Details CVE-2003-0144. https://www.cvedetails.com/cve/CVE-2003-0144/
[7]
cve.mitre.org. 2022. CVE List. https://cve.mitre.org/
[8]
Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. Sysfilter: Automated System Call Filtering for Commodity Software. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses (RAID).
[9]
Masoud Ghaffarinia and Kevin W. Hamlen. 2019. Binary Control-flow Trimming. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS).
[10]
Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses (RAID).
[11]
Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020. Temporal System Call Specialization for Attack Surface Reduction. In Proceedings of the 29th USENIX Security Symposium.
[12]
Brendan Gregg. 2016. Linux bcc Tracing Security Capabilities. https://www.brendangregg.com/blog/2016-10-01/linux-bcc-security-capabilities.html
[13]
Heino Sass Hallik. 2019. Linux privilege Escalation using the SUID Bit. https://materials.rangeforce.com/tutorial/2019/11/07/Linux-PrivEsc-SUID-Bit/
[14]
William R. Harris, Somesh Jha, Thomas Reps, Jonathan Anderson, and Robert N.M. Watson. 2013. Declarative, Temporal, and Practical Programming with Capabilities. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).
[15]
Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective Program Debloating via Reinforcement Learning. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS).
[16]
Xiaoyu Hu, Jie Zhou, Spyridoula Gravani, and John Criswell. 2018. Transforming Code to Drop Dead Privileges. In Proceedings of the IEEE Cybersecurity Development (SecDev). 450–52.
[17]
Bhushan Jain, Chia-Che Tsai, Jitin John, and Donald E. Porter. 2014. Practical Techniques to Obviate Setuid-to-Root Binaries. In Proceedings of the 9th European Conference on Computer Systems (EuroSys).
[18]
Yuseok Jeon, Junghwan Rhee, Chung Hwan Kim, Zhichun Li, Mathias Payer, Byoungyoung Lee, and Zhenyu Wu. 2019. PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY).
[19]
Haney Kang, Jinwoo Kim, and Seungwon Shin. 2021. MiniCon: Automatic Enforcement of a Minimal Capability Set for Security-Enhanced Containers. In Proceedings of the IEEE International IoT, Electronics and Mechatronics Conference (IEMTRONICS).
[20]
kernel.org. 2012. Seccomp BPF (SECure COMPuting with filters). https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html
[21]
Michael Kerrisk. 2010. The Linux Programming Interface. No Starch Press.
[22]
Michael Kerrisk. 2012. CAP_SYS_ADMIN: the new root. https://lwn.net/Articles/486306/
[23]
Douglas Kilpatrick. 2003. Privman: A Library for Partitioning Applications. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track. 273–284.
[24]
Kyungtae Kim, Dae R Jeong, Chung Hwan Kim, Yeongjin Jang, Insik Shin, and Byoungyoung Lee. 2020. HFL: Hybrid Fuzzing on the Linux Kernel. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[25]
Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security (EuroSec).
[26]
Vickie Li. 2020. Becoming Root Through An SUID Executable. https://vickieli.medium.com/becoming-root-through-an-suid-executable-47473173a6ec
[27]
man7.org. 1999. Capabilities(7) - Linux Programmer’s Manual. http://man7.org/linux/man-pages/man7/capabilities.7.html.
[28]
Alois Micard. 2020. Privilege escalation using setuid. https://blog.creekorful.org/2020/09/setuid-privilege-escalation/
[29]
Shachee Mishra and Michalis Polychronakis. 2018. Shredder: Breaking Exploits through API Specialization. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC).
[30]
Shachee Mishra and Michalis Polychronakis. 2020. Saffire: Context-sensitive Function Specialization against Code Reuse Attacks. In Proceedings of the 5th IEEE European Symposium on Security and Privacy (EuroS&P).
[31]
nvd.nist.gov. 2006. Vulnerability Details CVE-2006-3378. https://nvd.nist.gov/vuln/detail/CVE-2006-3378
[32]
nvd.nist.gov. 2019. Vulnerability Details CVE-2019-0211. https://nvd.nist.gov/vuln/detail/CVE-2019-0211
[33]
nvd.nist.gov. 2022. CVE-2022-0563 - chfn and chsh. https://nvd.nist.gov/vuln/detail/CVE-2022-0563
[34]
Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. 2012. AdDroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 71–72.
[35]
IO Visor Project. 2015. BPF Compiler Collection (BCC). https://github.com/iovisor/bcc
[36]
Niels Provos. 2003. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium.
[37]
Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium.
[38]
Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In Proceedings of the 28th USENIX Security Symposium.
[39]
Chenxiong Qian, Hyungjoon Koo, ChangSeok Oh, Taesoo Kim, and Wenke Lee. 2020. Slimium: Debloating the Chromium Browser with Feature Subsetting. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 461–476.
[40]
Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In Proceedings of the 27th USENIX Security Symposium. 869–886.
[41]
M. Rajagopalan, M.A. Hiltunen, T. Jim, and R.D. Schlichting. 2006. System Call Monitoring Using Authenticated System Calls. IEEE Transactions on Dependable and Secure Computing 3, 3 (2006), 216–229.
[42]
Dennis M. Ritchie. 1979. Protection of Data File Contents. US Patent 4,135,240.
[43]
Nick Roessler, Lucas Atayde, Imani Palmer, Derrick McKee, Jai Pandey, Vasileios P. Kemerlis, Mathias Payer, Adam Bates, Jonathan M. Smith, Andre DeHon, and Nathan Dautenhahn. 2021. MSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 296–311.
[44]
Bob Rudis. 2019. Apache Httpd Server Privilege Escalation (CVE-2019-0211): What You Need to Know. https://www.rapid7.com/blog/post/2019/04/03/apache-http-server-privilege-escalation-cve-2019-0211-what-you-need-to-know/
[45]
J.H. Saltzer and M.D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278–1308.
[46]
Jaebaek Seo, Daehyeok Kim, Donghyun Cho, Insik Shin, and Taesoo Kim. 2016. FLEXDROID: Enforcing In-App Privilege Separation in Android. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[47]
Takahiro Shinagawa and Kenji Kono. 2004. Implementing a secure setuid program. Parallel and Distributed Computing and Networks (2004).
[48]
Gurkirat Singh. 2021. Exploiting SUID Binaries to Get Root User Shell. https://tbhaxor.com/exploiting-suid-binaries-to-get-root-user-shell/
[49]
Brad Spengler. 2011. False Boundaries and Arbitrary Code Execution. https://grsecurity.net/false_boundaries_and_arbitrary_code_execution.
[50]
The Ubuntu Web Team. 2022. Ubuntu Popularity Contest. https://popcon.ubuntu.com/
[51]
Michael Torres. 2018. Linux Privilege Escalation - SetUID. https://micrictor.github.io/Exploiting-Setuid-Programs/
[52]
Lun Wang, Usmann Khan, Joseph Near, Qi Pang, Jithendaraa Subramanian, Neel Somani, Peng Gao, Andrew Low, and Dawn Song. 2022. PrivGuard: Privacy Regulation Compliance Made Easier. In Proceedings of the 31st USENIX Security Symposium.
[53]
R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. 2010. Capsicum: Practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium.
[54]
Tong Zhang, Wenbo Shen, Dongyoon Lee, Changhee Jung, Ahmed M. Azab, and Ruowen Wang. 2019. PeX: A Permission Check Analysis Framework for Linux Kernel. In Proceedings of the 28th USENIX Security Symposium. 1205–1220.

Cited By

View all
  • (2024)A Path Sensitive and Scalable Approach for Mapping the Capabilities Required for Linux Kernel Defined System Calls Using Static Analysis Techniques2024 IEEE 20th International Conference on Intelligent Computer Communication and Processing (ICCP)10.1109/ICCP63557.2024.10793015(1-8)Online publication date: 17-Oct-2024
  • (2024)Implementing the principle of least administrative privilege on operating systems: challenges and perspectivesAnnals of Telecommunications10.1007/s12243-024-01033-579:11-12(857-880)Online publication date: 16-May-2024
  • (2024)A Lightweight Defense Scheme Against Usermode Helper Privilege Escalation Using Linux CapabilityInformation Security10.1007/978-3-031-75757-0_10(190-208)Online publication date: 24-Oct-2024
  • Show More Cited By

Index Terms

  1. Decap: Deprivileging Programs by Reducing Their Capabilities

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
      October 2022
      536 pages
      ISBN:9781450397049
      DOI:10.1145/3545948
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 26 October 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Linux capabilities
      2. privileges
      3. setuid programs

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Funding Sources

      • ONR
      • NSF

      Conference

      RAID 2022

      Acceptance Rates

      Overall Acceptance Rate 43 of 173 submissions, 25%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)453
      • Downloads (Last 6 weeks)59
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)A Path Sensitive and Scalable Approach for Mapping the Capabilities Required for Linux Kernel Defined System Calls Using Static Analysis Techniques2024 IEEE 20th International Conference on Intelligent Computer Communication and Processing (ICCP)10.1109/ICCP63557.2024.10793015(1-8)Online publication date: 17-Oct-2024
      • (2024)Implementing the principle of least administrative privilege on operating systems: challenges and perspectivesAnnals of Telecommunications10.1007/s12243-024-01033-579:11-12(857-880)Online publication date: 16-May-2024
      • (2024)A Lightweight Defense Scheme Against Usermode Helper Privilege Escalation Using Linux CapabilityInformation Security10.1007/978-3-031-75757-0_10(190-208)Online publication date: 24-Oct-2024
      • (2023)AnimateDeadProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620549(5575-5591)Online publication date: 9-Aug-2023
      • (2023)IOSPReD: I/O Specialized Packaging of Reduced Datasets and Data-Intensive Applications for Efficient ReproducibilityIEEE Access10.1109/ACCESS.2022.323378711(1718-1731)Online publication date: 2023

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format.

      HTML Format

      Login options

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media