Setuid Demystified

1
Setuid Demystified

• Hao Chen David Wagner
• UC Berkeley
• Drew Dean
• SRI International

2
The Setuid API

• User ID model the basis for access control in
  Unix
• Each process has three user IDs
• ruid the real user ID
• euid the effective user ID
• suid the saved user ID
• The setuid API offers these system calls
• setuid, seteuid, setreuid, setresuid

3
The Mystery

• Which user IDs does setuid(x) set?
• FreeBSD always ruideuidsuidx
• Linux/Solaris always euidx, sometimes
  ruidsuidx
• Do these calls always succeed?
• setuid ( geteuid ( ) )
• May fail in Linux and Solaris
• seteuid ( geteuid ( ) )
• May fail in FreeBSD
• setreuid ( geteuid ( ) , getuid ( ) )
• May fail in FreeBSD

4
The Problems

• Semantic mess
• Design confusing, surprising
• Portability semantic differences among OSs (e.g.
  Linux, Solaris, FreeBSD)
• Documentation incomplete, inaccurate, or
  incorrect
• Reason historical artifacts
• Vulnerabilities
• Sendmail 8.10.1 and 8.12.0, etc.

5
Outline Demystify the Setuid API

• Identify the precise semantics
• Use a formal model
• Build the model automatically by state space
  exploration
• Check for
• Semantic pitfalls
• Documentation errors
• Inconsistency in OS kernels
• Proper use of API calls in programs
• Propose guidelines

6
Formal Model of the Setuid API

• Finite State Automaton (FSA) model
• States describing the user IDs of a process
• Transitions describing the semantics of the
  setuid API calls

Abstraction 0 root uid 1 a non-root uid
ruid1 euid1 suid1
setuid(1)
ruid1 euid0 suid0
seteuid(0)
ruid1 euid1 suid0
seteuid(1)
7
Construct the FSA

• Challenge
• Large number of transitions
• Manual construction is laborious, error-prone
• Solution
• Automatic construction by a state space explorer
• Exhaustively makes all setuid API calls at each
  state of the FSA
• Observes the resulting transitions

8
ruid0 euid0 suid0
ruid1 euid1 suid1
ruid0 euid0 suid1
setuid(1)
ruid0 euid1 suid0
setuid(0)
ruid1 euid1 suid0
setuid(1)
seteuid(1)
setuid(0)
seteuid(0)
ruid0 euid1 suid1
ruid1 euid0 suid1
ruid1 euid0 suid0
9
FSAs for setuid transitions
Linux
FreeBSD
10
FSA for setresuid in Linux
11
Benefits of Using Formal Model

• Correctness
• Intuition the transitions in the FSA are
  observed from running programs
• Efficiency
• The FSA is constructed automatically by the
  explorer
• Portability the explorer is portable to
• Different Unix systems
• Different versions of kernels
• Lots of applications!

12
Find Documentation Errors

• Incomplete man page
• setuid(2) in Redhat Linux 7.2fails to mention
  the Linux capabilities which affect how setuid()
  behaves
• Wrong man pages
• FreeBSD 4.4Unprivileged users may change the
  ruid to the euid and vice versa
• Redhat Linux 7.2The setgid function checks the
  egid of the caller and if it is the superuser,

suid
euid
13
Detect Inconsistencies in OS Kernel

• File system uid (fsuid) in Linux
• Is used for filesystem permission checking
• Normally follows euid
• An invariant in Linux 2.4.18 (kernel/sys.c)
• fsuid is 0 only if at least one of ruid, euid,
  suid is 0
• Security motivation
• Root privilege in fsuid is automatically dropped
  when it is dropped from ruid, euid, suid
• Ensures that an fsuid-unware application can
  safely drop root privilege in fsuid

14
Detect Inconsistencies in OS Kernel (contd.)

• A bug in Linux kernels lt 2.4.18 breaks the
  invariant
• The bug is in setresuid()
• We found the bug using the formal model
• Our patch was applied to kernel 2.4.19
• Lessons
• Security design is difficult to get right
• Formal models are very useful in verifying
  security models

15
Check Proper Usage of the Setuid API in Programs

• Questions
• Can a setuid API call fail in this program?
• Can this program fail to drop privilege?
• Which part of this program run with privilege?
• Approach
• Model checking security properties in programs
  using the FSA of the setuid API
• Results
• Found known setuid bugs in sendmail 8.10.1 and
  8.12.0

16
Guidelines

• Use setresuid where available
• Explicit, clear semantics
• Transactional(vs. setuid which is not
  transactional)
• Obey the proper order of API calls
• Drop group privileges before user privileges

17
Guidelines (contd.)

• Check for errors
• Check return code
• Verify user IDs are as expected after API calls
• (because some calls are not transactional)
• Verify failuresHow to permanently drop
  privileges confidently?
• Drop privilege
• Try to regain privilege
• Ensure that Step 2 fails

18
Related Work

• Unix man pages
• Chris Torek and Casper Dik. Setuid Mess
• Matt Bishop. How to write a setuid program
• Timothy Levin, S. Padilla, Cynthia Irvine.A
  Formal Model for UNIX Setuid

19
Conclusion Setuid Demystified

• Weve identified the precise semantics
• Use an FSA model
• Built the model automatically by state space
  exploration
• Formal models revealed pitfalls and bugs
• We discovered semantic pitfalls
• We found new documentation errors
• We detected the fsuid bug in the Linux kernel
• We verified the proper use of setuid API in some
  programs
• Follow our guidelines for the setuid API

20
Further Information
http//www.cs.berkeley.edu/hchen/research/setuid/
21
FSA for setreuid in Linux