TY - GEN
T1 - Decap
T2 - 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022
AU - Hasan, Md Mehedi
AU - Ghavamnia, Seyedhamed
AU - Polychronakis, Michalis
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/10/26
Y1 - 2022/10/26
N2 - Linux enables non-root users to perform certain privileged operations through the use of the setuid ("set user ID") mechanism. This represents a glaring violation of the principle of least privilege, as setuid programs run with full superuser privileges-with disastrous outcomes when vulnerabilities are found in them. Linux capabilities aim to improve this situation by splitting superuser privileges into distinct units that can be assigned individually. Despite the clear benefits of capabilities in reducing the risk of privilege escalation, their actual use is scarce, and setuid programs are still prevalent in modern Linux distributions. The lack of a systematic way for developers to identify the capabilities needed by a given program is a contributing factor that hinders their applicability. In this paper we present Decap, a binary code analysis tool that automatically deprivileges programs by identifying the subset of capabilities they require based on the system calls they may invoke. This is made possible by our systematic effort in deriving a complete mapping between all Linux system calls related to privileged operations and the corresponding capabilities on which they depend. The results of our experimental evaluation with a set of 201 setuid programs demonstrate the effectiveness of Decap in meaningfully deprivileging them, with half of them requiring fewer than 16 capabilities, and 69% of them avoiding the use of the security-critical CAP_SYS_ADMIN capability.
AB - Linux enables non-root users to perform certain privileged operations through the use of the setuid ("set user ID") mechanism. This represents a glaring violation of the principle of least privilege, as setuid programs run with full superuser privileges-with disastrous outcomes when vulnerabilities are found in them. Linux capabilities aim to improve this situation by splitting superuser privileges into distinct units that can be assigned individually. Despite the clear benefits of capabilities in reducing the risk of privilege escalation, their actual use is scarce, and setuid programs are still prevalent in modern Linux distributions. The lack of a systematic way for developers to identify the capabilities needed by a given program is a contributing factor that hinders their applicability. In this paper we present Decap, a binary code analysis tool that automatically deprivileges programs by identifying the subset of capabilities they require based on the system calls they may invoke. This is made possible by our systematic effort in deriving a complete mapping between all Linux system calls related to privileged operations and the corresponding capabilities on which they depend. The results of our experimental evaluation with a set of 201 setuid programs demonstrate the effectiveness of Decap in meaningfully deprivileging them, with half of them requiring fewer than 16 capabilities, and 69% of them avoiding the use of the security-critical CAP_SYS_ADMIN capability.
KW - Linux capabilities
KW - privileges
KW - setuid programs
UR - https://www.scopus.com/pages/publications/85142469176
U2 - 10.1145/3545948.3545978
DO - 10.1145/3545948.3545978
M3 - Conference contribution
AN - SCOPUS:85142469176
T3 - ACM International Conference Proceeding Series
SP - 395
EP - 408
BT - Proceedings of 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022
PB - Association for Computing Machinery
Y2 - 26 October 2022 through 28 October 2022
ER -