11

A Black-Box Tracing Technique to A Black-Box Tracing Technique to Identify Identify Causes of Least-Privilege Causes of Least-Privilege IncompatibilitiesIncompatibilities

Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min Shuo Chen, John Dunagan, Chad Verbowski and Yi-Min WangWang

NDSS 2005, San Diego, CaliforniaNDSS 2005, San Diego, CaliforniaFeb. 4, 2005Feb. 4, 2005

22

The ProblemThe Problem

Principle of Least PrivilegePrinciple of Least Privilege– Software should run only with the privileges Software should run only with the privileges

necessary to accomplish the task.necessary to accomplish the task.

Reality of Windows systemsReality of Windows systems– Most users run all the time as members of the Most users run all the time as members of the

Administrators group (a.k.a. Administrators group (a.k.a. Admins,Admins, root in root in UNIX).UNIX).

– Security threats increased: compromise of user Security threats increased: compromise of user application application a system compromise a system compromise

E.g., buffer overflow in Instant Messenger E.g., buffer overflow in Instant Messenger

– Many Windows applications require admin Many Windows applications require admin privileges when they shouldn’t (least privilege privileges when they shouldn’t (least privilege incompatibility, or LPI). incompatibility, or LPI).

33

Least Privilege Incompatible Least Privilege Incompatible AppsApps

Bob the BuilderBob the Builder (a kid’s game) (a kid’s game)

Window Clock/CalendarWindow Clock/Calendar

44

Least Privilege Incompatible Least Privilege Incompatible AppsApps

RASRAS, a Virtual Private , a Virtual Private Network (VPN) softwareNetwork (VPN) software

RAZZLERAZZLE (the build environment for many Microsoft products) (the build environment for many Microsoft products)

55

TurboTaxTurboTax Microsoft GreetingsMicrosoft Greetings

Diablo IIDiablo II. Unable to . Unable to detect the Play Disc?detect the Play Disc?

A Microsoft Knowledge Base article reports A Microsoft Knowledge Base article reports 188188 least- least-privilege incompatible applicationsprivilege incompatible applications

Least Privilege Incompatible Least Privilege Incompatible AppsApps

66

Project GoalProject Goal

Develop a tracer…Develop a tracer…– To identify the causes of LPIs …To identify the causes of LPIs …– So that they can be more easily fixed by So that they can be more easily fixed by developersdevelopers or or

sysadminssysadmins– Provide enough clues that make a hard problem easy.Provide enough clues that make a hard problem easy.

Address Address developer’sdeveloper’s challenges challenges– Impractical to get deep insights to the entire code base of a Impractical to get deep insights to the entire code base of a

commercial software. Should pinpoint failing code.commercial software. Should pinpoint failing code.– Libraries encapsulate system calls invoking security checks. Most Libraries encapsulate system calls invoking security checks. Most

libraries are in binary form. Should identify low level security libraries are in binary form. Should identify low level security failures, not opaque library failures.failures, not opaque library failures.

– Applications can have many LPIs. Should minimize number of Applications can have many LPIs. Should minimize number of test runs to fix all of them.test runs to fix all of them.

Also helps Also helps sysadminssysadmins! In many cases, can mitigate LPIs ! In many cases, can mitigate LPIs through harmless system policy changes.through harmless system policy changes.– E.g., change the Access Control List (ACL) of files and registry E.g., change the Access Control List (ACL) of files and registry

keys.keys.

77

Windows Security SubsystemWindows Security Subsystem

Data structure: Data structure: tokentoken (security context) (security context) Complete Set of Checking Functions in Security SubsystemComplete Set of Checking Functions in Security Subsystem

– SID-Compare:SID-Compare: Can be used to check “Am I an admin?” Can be used to check “Am I an admin?”– Access-Check/Reference-Object:Access-Check/Reference-Object: Do I have the permissions to open an object handle / perform operations on an opened handle? Do I have the permissions to open an object handle / perform operations on an opened handle?– Adjust-Privilege/Privilege-Check:Adjust-Privilege/Privilege-Check: Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the Do I have the permissions to perform this operation not associated with an individual object (e.g., shutdown the

system)?system)?

Why not just monitor at syscall level?Why not just monitor at syscall level?– System call interface is enormousSystem call interface is enormous

– Syscalls can be stateful; Security subsystem is Syscalls can be stateful; Security subsystem is statelessstateless (crucial ingredient in noise filtering). (crucial ingredient in noise filtering).

88

Overview of the Tracing Overview of the Tracing TechniqueTechnique

Run app with Admin privileges

Starttracing

stoptracing

Log of possible causes of least-privilege incompatibilities

Run app without Admin privileges

Startvalidation

stopvalidation

Security Check Monitor and Noise Filter(tracing mode)

Security check event logger

Intercept every security check call, determine whether it succeeds, but would fail if a non-admin invoked it.

• Use statelessness

Security Check Monitor and Noise Filter(validation mode)

Deliberately make a subset of the logged security checks succeed when they normally would fail.

99

Evaluations with Real Evaluations with Real ExamplesExamples

Goal of evaluation is to demonstrate that…Goal of evaluation is to demonstrate that… Tracer makes LPIs easy to understandTracer makes LPIs easy to understand Fixing the LPIs becomes substantially easierFixing the LPIs becomes substantially easier Most LPIs are simply bugsMost LPIs are simply bugs Bottom line:Bottom line: LPI problem is solvable LPI problem is solvable

1010

Case 1: Bob The BuilderCase 1: Bob The Builder Third party application. “Unable to perform the operation because of insufficient Third party application. “Unable to perform the operation because of insufficient

privilege.” Which operation? Why require admin privileges?privilege.” Which operation? Why require admin privileges? TracingTracing

– 40024002 security checks were performed to check against the user token; security checks were performed to check against the user token; 884884 checks failed; checks failed; 899899 checks would fail if they were performed by non-admin users.checks would fail if they were performed by non-admin users.

– The log contains only 899 – 884 = The log contains only 899 – 884 = 1515 entries, among which only 5 entries are distinct. entries, among which only 5 entries are distinct.

1111

Type of Type of CheckCheck

Process Process ImageImage

Object NameObject Name Desired Desired AccessAccess

Granted Granted AccessAccess

Max Max access for access for regular regular usersusers

ReferenceReference-Object-Object

AutomenAutomenu u

\REGISTRY\\REGISTRY\HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\BBC Multimedia\Bob SOFTWARE\BBC Multimedia\Bob the Builder\1.0.0 the Builder\1.0.0

0x00002 0x00002 0xf003f 0xf003f 0x020019 0x020019

Access-Access-Check Check

explorerexplorer \Program Files\THQ\Bob the \Program Files\THQ\Bob the Builder\StartBTB.exe Builder\StartBTB.exe

0x120180x120189 9

0x120180x120189 9

0x1200a9 0x1200a9

Access-Access-Check Check

explorerexplorer \WINDOWS\explorer.exe \WINDOWS\explorer.exe 0x120180x120189 9

0x120180x120189 9

0x1200a9 0x1200a9

Access-Access-Check Check

explorerexplorer \WINDOWS\system32\mydocs.dll \WINDOWS\system32\mydocs.dll 0x120180x120189 9

0x120180x120189 9

0x1200a9 0x1200a9

Access-Access-Check Check

explorerexplorer \WINDOWS\system32\shell32.dll\WINDOWS\system32\shell32.dll 0x120180x120189 9

0x120180x120189 9

0x1200a9 0x1200a9

Run as non-admin

1212

Case 2: RAS (Remote Access Case 2: RAS (Remote Access Service)Service)

RAS sets up a Virtual Private Network (VPN) to connect to corporate network.RAS sets up a Virtual Private Network (VPN) to connect to corporate network. Least-privilege incompatibility encountered.Least-privilege incompatibility encountered. The tracer logged 7 entries out of 2566 security checks on the user token.The tracer logged 7 entries out of 2566 security checks on the user token. The cause (one of the 7 logged entries) hides deep in the call stack. Not The cause (one of the 7 logged entries) hides deep in the call stack. Not

intuitive.intuitive.

The RAS process

Get_EnumEveryConnection in HNETCFG.dll(Home Networking Configuration Manager)

CheckTokenMembership in ADVAPI32.dll

Access-Check in kernel

Developer’s response:• RAS needs to migrate existing connections to the VPN• The only API for enumerating network connections is Get_EnumEveryConnection,

privileged .•Solution: RAS should only migrate the current user’s connections.

1313

Case 3: Microsoft GreetingsCase 3: Microsoft Greetings

12618 checks performed for user 12618 checks performed for user permissions. 37 entries in the log.permissions. 37 entries in the log.

Encountered 5 LPIs along the code path.Encountered 5 LPIs along the code path.– 1 due to SID-Compare1 due to SID-Compare– 1 due to 1 due to \Program Files\Microsoft \Program Files\Microsoft Picture It! PhotoPub\pidocob.dllPicture It! PhotoPub\pidocob.dll

– 3 due to 3 due to \REGISTRY\HKEY_LOCAL_MACHINE\\REGISTRY\HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\Microsoft\Picture It!\*Microsoft\Picture It!\*

Strength of the tracing technique: logging Strength of the tracing technique: logging all causes requires only one test run.all causes requires only one test run.

1414

Increasingly Obscure Error Increasingly Obscure Error MessagesMessages

Remove the first LPI

Remove the second LPI

Remove the other 3 LPIs

1515

Case 4: Diablo IICase 4: Diablo II

1573 checks on the user token. 3 entries in the log.1573 checks on the user token. 3 entries in the log. Misleading error message (as if there was no disc in the CD drive)Misleading error message (as if there was no disc in the CD drive) Only one entry about CDROM:Only one entry about CDROM:

Game.exe checks the access to \Device\CdRom0Game.exe checks the access to \Device\CdRom0

Make the Access-Check on \Device\CdRom0 succeed

1616

Other Example ApplicationsOther Example Applications Windows Clock/CalendarWindows Clock/Calendar

– rundll32.exe fail to enable SystemTime privilege rundll32.exe fail to enable SystemTime privilege ((Adjust-PrivilegeAdjust-Privilege) )

Windows Power OptionsWindows Power Options– Access-CheckAccess-Check failure on the registry key failure on the registry key \\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfgCurrentVersion\Controls Folder\PowerCfg

TurboTaxTurboTax– TurboTax checks the admins’ group membership TurboTax checks the admins’ group membership

by by SID-CompareSID-Compare

Razzle (a build environment tool)Razzle (a build environment tool)– Access-CheckAccess-Check failure on the root directory of the failure on the root directory of the

source code.source code.

1717

SummarySummary We validate the effectiveness of the We validate the effectiveness of the

tracing technique by many real tracing technique by many real applications. applications. – Applications span a variety of user types. Applications span a variety of user types. – Applications exhibit a variety of reasons for Applications exhibit a variety of reasons for

the LPIsthe LPIs..

– Our technique catches all causes of LPIs on Our technique catches all causes of LPIs on exercised code paths. As a dynamic tracing exercised code paths. As a dynamic tracing technique, it cannot identify the LPIs not technique, it cannot identify the LPIs not exercised. exercised.

Fixing or mitigating LPIs becomes Fixing or mitigating LPIs becomes significantly easier.significantly easier.

1818

Future DirectionsFuture Directions

Usability enhancements Usability enhancements – Driver instead of modified kernel, Driver instead of modified kernel, – Automatically set breakpoints at the security Automatically set breakpoints at the security

checks responsible for least-privilege checks responsible for least-privilege incompatibilities (integrated in debuggers)incompatibilities (integrated in debuggers)

– Configuration utility for sysadmins.Configuration utility for sysadmins.

Further research on permission Further research on permission failures failures – Security failures involving networked Security failures involving networked

applications applications – Apply techniques to other OS platforms?Apply techniques to other OS platforms?