Abstract
Programs fetch resources, such as files, from the operating system through the process of name resolution. However, name resolution can be subverted by adversaries to redirect victim processes to resources chosen by the adversaries, leading to a variety of attacks. These attacks are possible because traditional access control treats processes as black boxes, permitting all process permissions to all process system calls, enabling adversaries to trick victims into using resources that are not appropriate for particular system calls. Researchers have examined methods for enforcing distinct policies on individual system calls, but these methods are difficult to use because programmers must specify which permissions apply when manually. In this work, we examine the generation of system call-specific program policies to augment access control to defend against such name resolution attacks. Our insight in this paper is that system calls can be classified by the properties of the resources accessed to produce policies automatically. Given specific knowledge about name resolution attacks, such a classification may be refined further to prevent many name resolution attacks with little chance of false positives. In this paper, we produce a policy using runtime analysis for an Ubuntu 12.04 distribution, finding that 98.5 % of accesses can be restricted to prevent typical name resolution attacks and more than 65 % of accesses can be restricted to a single file without creating false positives. We also examine three programs in detail to evaluate the efficacy of using the provided package test suites to generate policies, finding that administrators can produce effective policies automatically.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Name resolution attacks may be launched with any operation privilege to files, so we ignore the file operations requested in this work.
- 2.
This is actually the same inode, as inode is the unique identifier for file objects.
References
Berman, A., et al.: TRON: process-specific file protection for the UNIX operating system. In: USENIX TC ’95, Framingham (1995)
Goldberg, et al.: A secure environment for untrusted helper applications. In: USENIX Security ’96, San Jose (1996)
Acharya, et al.: MAPbox: using parameterized behavior classes to confine untrusted applications. In: USENIX SSYM, Denver (2000)
Garfinkel, et al.: Ostia: a delegating architecture for secure system call interposition. In: NDSS ’04, San Diego (2004)
Bishop, M., Digler, M.: Checking for race conditions in file accesses. Comput. Syst. 9(2), Spring 131–152 (1996)
Cowan, C., et al.: Raceguard: kernel protection from temporary file race vulnerabilities. In: USENIX Security Symposium, Washington, DC (2001)
Tsyrklevich, et al.: Dynamic detection and prevention of race conditions in file accesses. In: USENIX Security, Washington, DC (2003)
Dean, et al.: Fixing races for fun and profit. In: USENIX SSYM, San Diego (2004)
Tsafrir, D., et al.: Portably solving file tocttou races with hardness amplification. In: USENIX FAST, San Jose (2008)
Chari, S., et al.: Where do you want to go today? Escalating privileges by pathname manipulation. In: NDSS ’10, San Diego (2010)
Cai, X., et al.: Exploiting unix file-system races via algorithmic complexity attacks. In: IEEE SSP ’09, Cardiff (2009)
Vijayakumar, H., Schiffman, J., Jaeger, T.: Sting: finding name resolution vulnerabilities in programs. In: Proceedings of the 21st USENIX Security Symposium (USENIX Security 2012), Bellevue (2012)
Levy, H.M.: Capability-Based Computer Systems. Digital Press, Bedford (1984). Available at http://www.cs.washington.edu/homes/levy/capabook/
Provos, N.: Improving host security with system call policies. In: USENIX Security ’03, Washington, DC. USENIX Association, Berkeley (2003)
AppArmor Linux application security, http://www.novell.com/linux/security/apparmor/ (2008)
audit2allow, http://fedoraproject.org/wiki/SELinux/audit2allow (2013)
McPhee, W.S.: Operating system integrity in OS/VS2. IBM Syst. J. 13, 230–252 (1974) [Online]. Available: http://dx.doi.org/10.1147/sj.133.0230
Needham, R.: Chapter: names. In: Mullender, S. (ed) Distributed Systems. Addison-Wesley, Boston (1989)
Domain Names – Implementation and Specification, http://www.ietf.org/rfc/rfc1035.txt (1987)
Vigna, et al.: Testing network-based intrusion detection signatures using mutant exploits. In: ACM CCS, Washington, DC (2004)
What is “Deep Inspection”? http://www.ranum.com/security/computer_security/editorials/deepinspect/ (2013)
PHP LFI to arbitrary code execution. http://www.exploit-db.com/download_pdf/17010/ (2011)
Balzarotti, et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: IEEE SSP, Oakland (2008)
Wei, et al.: Tocttou vulnerabilities in unix-style file systems: an anatomical study. In: USENIX FAST ’05, San Francisco (2005)
Suk Lhee, K., Chapin, S.J.: Detection of file-based race conditions. Int. J. Inf. Secur. 4(1–2), 105–119 (2005)
Borisov, et al.: Fixing races for fun and profit: how to abuse atime. In: USENIX Security ’06, Baltimore (2005)
Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: a practical approach for safe execution of untrusted applications. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, ser. SOSP ’03, Bolton Landing, pp. 15–28. ACM, New York (2003) [Online]. Available: http://doi.acm.org/10.1145/945445.945448
Li, et al.: Usable mandatory integrity protection for operating systems. In: IEEE SSP, Madison (2007)
Sun, W., Sekar, R., Poothia, G., Karandikar, T.: Practical proactive integrity protection: a basis for malware defense. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, Oakland (2008)
Shankar, U., Jaeger, T., Sailer, R.: Toward automated information-flow integrity verification for security-critical applications. In: Proceedings of the 2006 ISOC Networked and Distributed Systems Security Symposium (NDSS’06), San Diego (2006)
Krohn, M.N., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles, Stevenson, pp. 321–334 (2007)
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: Proceedings of the Seventh Symposium on Operating System Design and Implementation, Seattle, pp. 263–278 (2006)
Clark, D.D., Wilson, D.: A comparison of military and commercial security policies. In: 1987 IEEE Symposium on Security and Privacy, Oakland (1987)
Harris, W., Jha, S., Reps, T.: Difc programs by automatic instrumentation. In: Proceedings of Computer and Communications Security (CCS), Chicago (2010)
Denning, D.: A lattice model of secure information flow. Commun. ACM 19(5), 236–242 (1976)
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proceedings of the 16th ACM Symposium on Operating System Principles, Saint Malo (1997)
Hicks, S., Boniface, Jaeger, T., McDaniel, P.: From trusted to secure: building and executing applications that enforce system security. In: Proceedings of the USENIX Annual Technical Conference, Santa Clara. USENIX Association, Berkeley (2007)
Liu, J., George, M.D., Vikram, K., Qi, X., Waye, L., Myers, A.C.: Fabric: a platform for secure distributed computation and storage. In: In Proceedings ACM Symposium on Operating Systems Principles, Big Sky, pp. 321–334 (2009)
Rueda, S., King, D., Jaeger, T.: Verifying compliance of trusted programs. In: Proceedings of the 17th USENIX Security Symposium, San Jose (2008)
Bell, D.E., LaPadula, L.J.: Secure computer system: Unified exposition and Multics interpretation, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA, Technical Report ESD-TR-75-306, March 1976, also, MITRE Technical Report MTR-2997
McIlroy, D., Reeds, J.: Multilevel windows on a single-level terminal. In: Proceedings of the (First) USENIX Security Workshop, Portland (1988)
Toll, D.C., Karger, P.A., Palmer, E.R., McIntosh, S.K., Weber, S.: The caernarvon secure embedded operating system. SIGOPS Oper. Syst. Rev. 42(1), 32–39 (2008) [Online]. Available: http://doi.acm.org/10.1145/1341312.1341320
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Vijayakumar, H., Jakka, G., Rueda, S., Schiffman, J., Jaeger, T.: Integrity walls: finding attack surfaces from mandatory access control policies. In: Proceedings of the Seventh ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), Hangzhou (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Vijayakumar, H., Jaeger, T. (2013). The Right Files at the Right Time. In: Al-Shaer, E., Ou, X., Xie, G. (eds) Automated Security Management. Springer, Cham. https://doi.org/10.1007/978-3-319-01433-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-01433-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-01432-6
Online ISBN: 978-3-319-01433-3
eBook Packages: Computer ScienceComputer Science (R0)