Transcript Breaking Down the Walls of Mutual Distrust B. Hicks, S. Rueda, T

Finding Name Resolution
Vulnerabilities in Programs
Hayawardh Vijayakumar, Joshua Schiffman and Trent Jaeger
Name Resolution Attacks
 Programs require system resources (e.g.,
files, sockets) to function.
 Improper Binding Attack
 Programs retrieve resources from
operating system (OS) namespaces
through the process of name resolution.
 Adversary processes attack victim
processes by modifying shared
namespaces in unexpected ways [detail].
 Improper Resource Attack
 Programmers insert security checks to
protect against attacks but do not know
about system deployment (access control
policy, local adversaries, environment),
and thus get these security checks wrong.
Problem
Given a program and its system
deployment, can we precisely locate
vulnerable name resolutions in the
program?
Challenge
Solution
 Runtime analysis with active adversary
modeled by OS to eliminate false
positives. We call the system STING.
 Active adversary uses permissions from
system’s access control policy (we model
DAC, MAC)
 Analyses limited by false positives
Design
 Attack Phase: OS changes changes
namespace and tests attack scenarios.
 Detection Phase: OS detects if program
is vulnerable to attack, or has proper
checks.
 Adversary-Specific Namespace View:
Each victim process has a different view of
the namespace depending on adversary.
 Static analysis has no knowledge of
system deployment (adversary
accessibility to name resolutions).
 Runtime analysis does not know if
programs perform right checks.
 No standard checks exist.
Results
 Implemented STING for Linux 3.2 and
ran tests on Fedora and Ubuntu.
Publications
[1] H. Vijayakumar, J. Schiffman, and
T. Jaeger. STING: Finding Name
Resolution Vulnerabilities in Programs.
Technical Report NAS-TR-0157-2012.
 Found 21 previously-unknown
vulnerabilities across 17 programs and
scripts in Fedora and Ubuntu
[2] H. Vijayakumar, J. Schiffman and
T. Jaeger, "A Rose by Any Other Name
or an Insane Root? Adventures in
Name Resolution", EC2ND 2011.
 5 were in Ubuntu-specific scripts
 Only 1% (Fedora) and 3% (Ubuntu) of
total name resolutions were vulnerable
[3] H. Vijayakumar, et al., "Integrity
Walls: Finding Attack Surfaces from
Mandatory Access Control Policies",
ASIACCS 2012.
Sponsored by NSF CNS-0905343