Re: Implementing a dynamic root id

Crispin Cowan (crispin@cse.ogi.edu)
Thu, 25 Mar 1999 09:00:50 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andre M. Hedrick: "Re: Problem with larger IDE drive"
Previous message: Tigran Aivazian: "Re: total freeze with framebuffer + X"
Maybe in reply to: Cody Pisto: "Implementing a dynamic root id"
Next in thread: Casey Schaufler: "Re: Implementing a dynamic root id"

Eric Walthinsen forwarded this post by Papi to the linux-kernel list to me.
I'm replying to our internal research list and linux-kernel, as I expect it's
of interest to both communities.

> We thought of an simple scheme to counter this. We could dynamicly
> alocate the root ID. Meaning that somewhere in /proc, there is a file
> awating to be edited and that could change the root ID (and all of the
> processes that run whith this uid) from 0 to whatever I want, anytime,
> without rebooting my system. I understand that this would imply making
> some system calls lie about the actual ID's of the real root user, his
> processes and owned files.

This is what I have characterized (
http://www.cse.ogi.edu/DISC/projects/immunix/survivability.html ) as an
"interface permutation". The interface is that all the programs expect the
root UID to be 0, and the kernel enforces that UID 0 is the superuser. The
proposed permutation is to churn the UID that is effectively the superuser.

The basic problem with interface permutations is that the current state of
the churned interface is, in effect, a shared secret between the clients and
the servers. In this case, the current root UID is the shared secret. Every
program that needs to interact with root needs to know this secret. The
proposal of putting it in /proc is a good way to distribute the information,
but it doesn't solve the fundamental problem: The attacker will now just
overflow a non-priviliged program, go learn the root UID (since it is a
widely shared secret) and then attack a privileged program and obtain root
anyway.

You could argue that you've made the attacker do more work to get root, but
you've only made the attacker do a little bit more work. In contrast, the
defender has an enormous amount of work to do. Many chunks of kernel code
and many user-land programs REALLY hard-code that root UID == 0. They don't
just define "root_UID" as a constant, they do bitwise operations on the
effective UID and see if it comes up 0. They do stuff like "if (uid) {". So
you have a LOT of work to do to make this thing function correctly.

Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

Support Justice: Boycott Windows 98

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andre M. Hedrick: "Re: Problem with larger IDE drive"
Previous message: Tigran Aivazian: "Re: total freeze with framebuffer + X"
Maybe in reply to: Cody Pisto: "Implementing a dynamic root id"
Next in thread: Casey Schaufler: "Re: Implementing a dynamic root id"