SubDomain: Parsimonious SubDomain: Parsimonious Server SecurityServer Security

Presenter:Presenter:

Alptekin KüpçüAlptekin Küpçü

OverviewOverview

Problem DefinitionProblem Definition Problematic ExamplesProblematic Examples Previous ApproachesPrevious Approaches SubDomain ApproachSubDomain Approach Related WorkRelated Work Summing UpSumming Up DiscussionDiscussion

Problem DefinitionProblem Definition

Why do we need server security?Why do we need server security? Easier to attack than SSLEasier to attack than SSL

Why is it hard?Why is it hard? Every piece of software must be secureEvery piece of software must be secure

What should a solution look like?What should a solution look like? Small implementation: Likely to be bug-freeSmall implementation: Likely to be bug-free Simple operation: Less likely to misconfigureSimple operation: Less likely to misconfigure Fine-grained controlFine-grained control High performance and compatibilityHigh performance and compatibility

Problematic ExamplesProblematic Examples

Cause: “trusted” programsCause: “trusted” programs runs with privilidgeruns with privilidge has a bug that attacker can take advantagehas a bug that attacker can take advantage

BIND DNS Server & Microsoft IIS ServerBIND DNS Server & Microsoft IIS Server Gaining administrative privilidgesGaining administrative privilidges

Common bugsCommon bugs Buffer overflowsBuffer overflows Race conditionsRace conditions Special character processingSpecial character processing

SolutionSolution

Safety properties on integritySafety properties on integrity Not information flow issuesNot information flow issues

Principle of least privilidgePrinciple of least privilidge Minimizes possible damageMinimizes possible damage

Previous approachesPrevious approaches Minimizing user/role privilidgesMinimizing user/role privilidges setuid with synthetic userssetuid with synthetic users Hard to do in practiceHard to do in practice

• needs too much administrative workneeds too much administrative work

SubDomainSubDomain

Admin specifies “domains” for programsAdmin specifies “domains” for programs Not for usersNot for users Domain is a list of files and operationsDomain is a list of files and operations

RestrictiveRestrictive Like Linux Security ModulesLike Linux Security Modules Using SubDomain is Using SubDomain is guaranteedguaranteed to be safer to be safer

syscallssyscalls Return error if not enough privilidgesReturn error if not enough privilidges Log attempts to use in intrusion detectionLog attempts to use in intrusion detection

SubDomain DetailsSubDomain Details Child processChild process

Can inherit parent’s rightsCan inherit parent’s rights• Possibly with some extra or less rightsPossibly with some extra or less rights

Can have completely unrelated rightsCan have completely unrelated rights Finer-grainFiner-grain

Plug-ins, loadable modules or scriptsPlug-ins, loadable modules or scripts Processes must cooperate with SubDomainProcesses must cooperate with SubDomain

• by using “hat”sby using “hat”s HatHat

Must be changed before calling sub-componentMust be changed before calling sub-component Must not be changed in the sub-componentMust not be changed in the sub-component

• Use random identifiers for hatsUse random identifiers for hats• Sub-component should not be able to read process memorySub-component should not be able to read process memory

SubDomain ImplementationSubDomain Implementation

Kernel moduleKernel module No change needed on programsNo change needed on programs

Unless sub-component security is desiredUnless sub-component security is desired SubDomain profile can come with packageSubDomain profile can come with package

Always safe to installAlways safe to install Easy to understandEasy to understand But profile creation must be manualBut profile creation must be manual

• Start with no privilidgesStart with no privilidges• If source code not available, play with the application and If source code not available, play with the application and

populate the profilepopulate the profile Need to be done for all possible inputsNeed to be done for all possible inputs Should be manually recheckedShould be manually rechecked Not too complex in practiceNot too complex in practice

Differences from Related WorkDifferences from Related Work

System-wide program profilesSystem-wide program profiles Like Mandatory Access ControlLike Mandatory Access Control

Finer-grainedFiner-grained Sub-componentsSub-components

CompatibleCompatible Not language basedNot language based

Always safe to installAlways safe to install Can come pre-packagedCan come pre-packaged

Little performance overheadLittle performance overhead Small and simpleSmall and simple

4500 lines of kernel patch4500 lines of kernel patch

Some Related WorkSome Related Work

Program-based Access Control ListsProgram-based Access Control Lists Dual of SubDomainDual of SubDomain

• Each file has a list of programs that are granted Each file has a list of programs that are granted accessaccess

chrootchroot EscapableEscapable Storage and performance overheadStorage and performance overhead

Summing UpSumming Up

Least privilidge on programsLeast privilidge on programs More intuitive for server systemsMore intuitive for server systems Easy to understand and create a profileEasy to understand and create a profile

• Apache profile size: Apache profile size: 3333 lines lines Profile packaged with programsProfile packaged with programs Finer-grainedFiner-grained

DiscussionDiscussion

Easy to specify and useEasy to specify and use But still needs non-trivial administrationBut still needs non-trivial administration

Not enough evaluationNot enough evaluation 5 to 10 clients for a server?5 to 10 clients for a server?

Too much “trust” is still thereToo much “trust” is still there Is using sub-components really secure?Is using sub-components really secure?

Is this the level of security we want for our Is this the level of security we want for our servers?servers?

Compare and combine with Compare and combine with chrootchroot or or ld_preloadld_preload