Visible to the public PrivAnalyzer: Measuring the Efficacy of Linux Privilege Use

TitlePrivAnalyzer: Measuring the Efficacy of Linux Privilege Use
Publication TypeConference Paper
Year of Publication2019
AuthorsCriswell, John, Zhou, Jie, Gravani, Spyridoula, Hu, Xiaoyu
Conference Name2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Date Publishedjun
KeywordsAccess Control, Analytical models, AutoPriv, ChronoPriv, composability, Containers, dynamic analysis, formal verification, Linux, Linux Operating System Security, Linux privilege use, Linux privileges, LLVM-based C/C++ compiler, Metrics, Operating systems, Predictive Metrics, PrivAnalyzer, privilege escalation attacks, privileged open source programs, program compilers, program diagnostics, Program processors, pubcrawl, Resiliency, ROSA model checker, security, security of data, static analysis, term rewriting, Tools, verification
AbstractOperating systems such as Linux break the power of the root user into separate privileges (which Linux calls capabilities) and give processes the ability to enable privileges only when needed and to discard them permanently when the program no longer needs them. However, there is no method of measuring how well the use of such facilities reduces the risk of privilege escalation attacks if the program has a vulnerability. This paper presents PrivAnalyzer, an automated tool that measures how effectively programs use Linux privileges. PrivAnalyzer consists of three components: 1) AutoPriv, an existing LLVM-based C/C++ compiler which uses static analysis to transform a program that uses Linux privileges into a program that safely removes them when no longer needed, 2) ChronoPriv, a new LLVM C/C++ compiler pass that performs dynamic analysis to determine for how long a program retains various privileges, and 3) ROSA, a new bounded model checker that can model the damage a program can do at each program point if an attacker can exploit the program and abuse its privileges. We use PrivAnalyzer to determine how long five privileged open source programs retain the ability to cause serious damage to a system and find that merely transforming a program to drop privileges does not significantly improve security. However, we find that simple refactoring can considerably increase the efficacy of Linux privileges. In two programs that we refactored, we reduced the percentage of execution in which a device file can be read and written from 97% and 88% to 4% and 1%, respectively.
DOI10.1109/DSN.2019.00065
Citation Keycriswell_privanalyzer_2019