Wedge: Splitting Applications into Reduced-Privilege Compartments

Size: px

Start display at page:

Download "Wedge: Splitting Applications into Reduced-Privilege Compartments"

Chastity Evans
5 years ago
Views:

1 Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008

2 Vulnerabilities threaten sensitive data Exploits allow running arbitrary code on servers. An exploited web server can be used to leak sensitive information such as credit card numbers. Have we managed to mitigate or prevent vulnerabilities? Time (years) Source: osvdb.org Vulnerabilities per year

3 Process-based privileges are too coarse-grained Need to keep SSL web server s RSA private key secret. (create) master (process) (read) network worker /etc/rsa key (file)

4 Process-based privileges are too coarse-grained Need to keep SSL web server s RSA private key secret. Apache worker running as root: Can read any file. Can invoke any system call. (create) master (process) (read) network worker /etc/rsa key (file)

5 Process-based privileges are too coarse-grained Need to keep SSL web server s RSA private key secret. Apache worker running as root: Can read any file. Fix: run as nobody. Can invoke any system call. Fix: use systrace, SELinux,... master (create) (process) (read) network worker /etc/rsa key (file)

6 Process-based privileges are too coarse-grained Need to keep SSL web server s RSA private key secret. Apache worker running as root: Can read any file. Fix: run as nobody. Can invoke any system call. Fix: use systrace, SELinux,... Are we done protecting the private key? master (create) (process) (read) network worker /etc/rsa key (file)

7 Process-based privileges are too coarse-grained Need to keep SSL web server s RSA private key secret. Apache worker running as root: Can read any file. Fix: run as nobody. Can invoke any system call. Fix: use systrace, SELinux,... Are we done protecting the private key? (create) master (process) (read) network worker /etc/rsa key (file)

8 Problem: processes grant all code access to all memory Need to keep SSL web server s RSA private key secret. (worker process) network HTTP parser SSL engine (code) private key (memory)

9 Problem: processes grant all code access to all memory Need to keep SSL web server s RSA private key secret. (worker process) network HTTP parser SSL engine (code) (read) private key (memory)

10 Problem: processes grant all code access to all memory Need to keep SSL web server s RSA private key secret. (worker process) network HTTP parser SSL engine (code) (read) private key (memory)

11 Problem: processes grant all code access to all memory Need to keep SSL web server s RSA private key secret. This talk: how to limit access of code to memory at fine granularity. (worker process) network HTTP parser SSL engine (code) (read) private key (memory)

12 Old idea: principle of least privilege Principle of least privilege: Partition code into compartments. Assign each compartment the minimal privileges it needs for its operation. Restrict interface and interactions between compartments. How to implement compartments? Processes?

13 Why are traditional processes not sufficient? Creating compartments with UNIX, e.g., fork: Default grant. Child inherits memory map and file descriptors. Operation of fork private key parent /etc/passwd

14 Why are traditional processes not sufficient? Creating compartments with UNIX, e.g., fork: Default grant. Child inherits memory map and file descriptors. Operation of fork private key parent fork child /etc/passwd

15 Why are traditional processes not sufficient? Creating compartments with UNIX, e.g., fork: Default grant. Child inherits memory map and file descriptors. Operation of fork private key parent fork child /etc/passwd Default-deny: inherit nothing from parent. Closer to least-privilege.

16 But default-deny is difficult to use for legacy code How many permissions do we need to explicitly grant? (worker process) network HTTP parser SSL engine (code) private key (memory)

17 But default-deny is difficult to use for legacy code How many permissions do we need to explicitly grant? Worker Apache s client handler uses over 600 memory objects.

18 Contributions New system calls for default-deny. Creating compartments. Specifying privileges. Tools to make default-deny usable when partitioning legacy code. Identifying the privileges for compartments.

19 Outline 1. Wedge. New system calls for default-deny. Crowbar: tool for partitioning legacy code. 2. Wedge applied to Apache+OpenSSL.

20 sthreads: default-deny compartments private key parent /etc/passwd Like processes, but default-deny. Like threads: can easily share pointers and file descriptors. Programmer must explicitly grant all permissions.

21 sthreads: default-deny compartments private key parent sthread create child (sthread) /etc/passwd Like processes, but default-deny. Like threads: can easily share pointers and file descriptors. Programmer must explicitly grant all permissions.

22 Virtual memory { char *key, *buffer; char *config; key = malloc(16); buffer = malloc(80); page n page n+1 parser } config = malloc(128);

23 Tagged memory { tag = tag_new(); key = malloc(16); buffer = smalloc(80,tag); page n page n+1 parser } config = smalloc(128,tag);

24 How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. private key parser Callgates: an entry-point with predefined privileges. Callgates are created and invoked at a later time. At creation, a subset of creator s privileges is given to callgate. At invocation, code is run with creation privileges.

25 How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. session key private key parser Callgates: an entry-point with predefined privileges. Callgates are created and invoked at a later time. At creation, a subset of creator s privileges is given to callgate. At invocation, code is run with creation privileges.

26 How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. session key private key client handler invoke setup session key Callgates: an entry-point with predefined privileges. Callgates are created and invoked at a later time. At creation, a subset of creator s privileges is given to callgate. At invocation, code is run with creation privileges.

27 How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. session key private key client handler invoke setup session key Callgates: an entry-point with predefined privileges. Callgates are created and invoked at a later time. At creation, a subset of creator s privileges is given to callgate. At invocation, code is run with creation privileges.

28 Summary: Wedge applied to Apache session key private key client handler setup session key Sthreads: default-deny compartments low privilege. Callgates: privilege elevation high privilege. Tagged memory: naming memory for privilege specification.

29 Ad-hoc code study? Worker Apache s client handler needs access to 222 heap objects and 389 globals. Need to read 72 source files (for heap only). 1. Which code is executed? 2. What objects do pointers point to? 3. Where were objects allocated?

30 Static analysis of memory accesses? Static analysis for C code does not have runtime context (e.g., format string for printf). Consequences: May fail. e.g., function pointers. If conservative, may give superset of privileges actually needed. e.g., may follow code paths corresponding to exploits!

31 Crowbar: runtime analysis of memory accesses Dynamic analysis yields least privilege: GET URL POST data private key parser Server uses minimal privileges to execute an innocuous request. 1. Use runtime instrumentation to produce memory trace. 2. Train using benign requests. Need to ensure high trace coverage, e.g., with test suite.

32 Crowbar: runtime analysis of memory accesses Dynamic analysis yields least privilege: GET URL POST data private key parser Server uses minimal privileges to execute an innocuous request. 1. Use runtime instrumentation to produce memory trace. 2. Train using benign requests. Need to ensure high trace coverage, e.g., with test suite.

33 Crowbar: runtime analysis of memory accesses Dynamic analysis yields least privilege: GET URL POST data private key parser Server uses minimal privileges to execute an innocuous request. 1. Use runtime instrumentation to produce memory trace. 2. Train using benign requests. Need to ensure high trace coverage, e.g., with test suite.

34 Outline 1. Wedge. New system calls for default-deny. Crowbar: tool for partitioning legacy code. 2. Wedge applied to Apache+OpenSSL.

35 Protecting keys and sensitive user data Goal: protect sensitive data (e.g., credit card). session key private key client handler setup session key Have we protected sensitive data? Are we done?

36 Protecting keys and sensitive user data Goal: protect sensitive data (e.g., credit card). session key private key client handler setup session key Have we protected sensitive data? Are we done? Threat models, with increasing complexity: 1. Passive eavesdropping and server exploit. 2. Active man-in-the-middle and server exploit.

37 Attacker can generate arbitrary session key Session key components exchanged during SSL handshake client client random server server random encrypted pre-master secret

38 Attacker can generate arbitrary session key Session key components exchanged during SSL handshake client client random server server random encrypted pre-master secret private key client handler setup session key

39 Attacker can generate arbitrary session key Session key components exchanged during SSL handshake client client random server server random encrypted pre-master secret private key client handler client random server random setup session key encrypted pre-master secret

40 Attacker can generate arbitrary session key Session key components exchanged during SSL handshake client client random server server random encrypted pre-master secret session key private key client handler client random server random setup session key encrypted pre-master secret

41 Attacker can generate arbitrary session key Session key components exchanged during SSL handshake client client random server server random encrypted pre-master secret session key client handler HACKED private key client random server random setup session key encrypted pre-master secret

42 Attacker can generate arbitrary session key Session key components exchanged during SSL handshake client client random server server random encrypted pre-master secret random session key private key client handler client random setup session key encrypted pre-master secret

43 Preventing arbitrary session key leak session key private key client handler setup session key

44 Preventing arbitrary session key leak session key private key client handler setup session key server random Attacker exploiting client handler: Has no control over server random and session key generation. Cannot generate session key of eavesdropped sessions. Can only obtain a new, personal session key.

45 Vulnerable to man-in-the-middle Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks: client MITM server

46 Vulnerable to man-in-the-middle Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks: client MITM server client random server random pre-master secret

47 Vulnerable to man-in-the-middle Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks: client MITM server client random server random pre-master secret exploit session key

48 Vulnerable to man-in-the-middle Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks: client MITM server client random server random pre-master secret exploit End of handshake Encryption starts session key

49 Vulnerable to man-in-the-middle Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks: client MITM server client random server random pre-master secret exploit End of handshake Encryption starts POST cardnum session key

50 Vulnerable to man-in-the-middle Disclosing session key causes a security breach with man-in-the-middle (MITM) attacks: client MITM server client random server random pre-master secret exploit End of handshake Encryption starts POST cardnum session key

51 Man-in-the-middle defense overview Can we protect against a MITM that has also exploited the server? master SSL handshake (clear-text) network Strategy: 1. Prevent session key disclosure during handshake.

52 Man-in-the-middle defense overview Can we protect against a MITM that has also exploited the server? master SSL handshake client handler (clear-text) network (MACed channel) Strategy: 1. Prevent session key disclosure during handshake. 2. MITM cannot exploit client handler without session key: packets with invalid MAC will be dropped.

53 Implementation Sthreads: Linux v line diff, 1485 line module. Userland library: 1154 lines. Crowbar: Binary instrumentation tool (using Pin): 2391 lines. Post processor: 959 lines. Applications we partitioned using Wedge: Apache+OpenSSL. OpenSSH (prior to privilege separation).

54 Wedge reduces size of privileged code Have we reduced the size of the privileged code?

55 Wedge reduces size of privileged code Have we reduced the size of the privileged code? Line counts in Wedge s Apache+SSL Component Line count Percentage Apache+OpenSSL total 252, % Default config after accept 60,844 Callgates total (privileged) 15,769 6% Lines changed when partitioning: 1,700 (0.7%).

56 Crowbar performs acceptably for developers Crowbar is used by developers for partitioning. It is not an overhead seen during production run-time. Does Crowbar perform acceptably for developers? A trace for Apache was obtained in 15s. Traces for SPEC applications: 82s on average. Anecdotally, one trace was enough for our Apache (and OpenSSH) partitioning.

57 Enhanced privacy at acceptable cost Throughput of many clients retrieving small static page: No sessions cached Requests/s x Vanilla 0.53x Wedge

58 Enhanced privacy at acceptable cost Throughput of many clients retrieving small static page: No sessions cached All sessions cached Requests/s x Vanilla 0.53x Wedge Requests/s x Vanilla 0.22x Wedge Vanilla reuses workers we create new sthreads. We create many compartments & callgates per session.

59 Related work We build on privilege separation: OpenSSH, OKWS, Privtrans Wedge allows finer-grained partitioning, and with default-deny, encourages tighter privileges for each compartment. DIFC: JIF, Asbestos, HiStar, Flume, DStar Crowbar is complementary: could help partitioning legacy code in DIFC systems. Wedge does not allow unprivileged code to compute over sensitive data.

60 Conclusion Wedge: Generalizes privilege separation and provides primitives for fine-grained default-deny partitioning of applications. Crowbar: tool to aid in partitioning legacy code. Wedge enables fine-grained partitioning of legacy code: Programmers can defend applications against stronger adversaries and more complex threat models than those addressed to date.

Wedge: Splitting Applications into Reduced-Privilege Compartments

Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London Abstract Software vulnerabilities and bugs persist, and so