Abstract
The capability mechanism in Linux-based systems is designed for dispersing the root privileges into a set of more refined capabilities, making programs gain no-more-necessary privileges. However, it is challenging to check the necessity and sufficiency of capabilities assigned to programs due to the highly complicated call chains invoked in practice. Inappropriate capability assignment brings threats to the systems. For example, over-privileged programs could allow an attacker to misuse root privileges, while under-privileged programs may incur runtime errors.
In this paper, we propose a new Linux capability analysis framework called LiCA to find necessary and sufficient capabilities for programs effectively. LiCA presents fine-grained and path-sensitive code flow analysis based on LLVM to construct accurate mappings between system calls and their capabilities. In particular, we solve the constraint equations along each path from a given system call to individual capabilities and strategically overcome the path explosion problem. Our experiments show that LiCA can correctly find necessary capabilities for the Linux utility programs (e.g., ping and tcpdump) and the public programs from GitHub. By comparing the capabilities claimed by program developers and the results from LiCA, we identify a batch of programs requiring more capabilities than necessary, even root privileges. Therefore, LiCA could help those third-party developers validate their programs’ capability setting to achieve the least privilege principle.
In this paper, we propose a new Linux capability analysis framework called LiCA to find necessary and sufficient capabilities for programs effectively. LiCA presents fine-grained and path-sensitive code flow analysis based on LLVM to construct accurate mappings between system calls and their capabilities. In particular, we solve the constraint equations along each path from a given system call to individual capabilities and strategically overcome the path explosion problem. Our experiments show that LiCA can correctly find necessary capabilities for the Linux utility programs (e.g., ping and tcpdump) and the public programs from GitHub. By comparing the capabilities claimed by program developers and the results from LiCA, we identify a batch of programs requiring more capabilities than necessary, even root privileges. Therefore, LiCA could help those third-party developers validate their programs’ capability setting to achieve the least privilege principle.
| Original language | English |
|---|---|
| Title of host publication | RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 364-379 |
| Number of pages | 16 |
| ISBN (Electronic) | 9781450397049 |
| DOIs | |
| Publication status | Published - 26 Oct 2022 |
| Externally published | Yes |
| Event | 25th International Symposium on Research in Attacks, Intrusions and Defenses - Limassol, Cyprus Duration: 26 Oct 2022 → 28 Oct 2022 |
Conference
| Conference | 25th International Symposium on Research in Attacks, Intrusions and Defenses |
|---|---|
| Abbreviated title | RAID 2022 |
| Country/Territory | Cyprus |
| City | Limassol |
| Period | 26/10/22 → 28/10/22 |
Bibliographical note
Acknowledgments:We want to thank our shepherd Nathan Burow and all the anonymous reviewers for their valuable comments.
Publisher Copyright:
© 2022 ACM.
Funding
This work was supported in part by National Key Research & Development Project of China (Grant No. 2019YFB1804400), and Hong Kong S.A.R. Research Grants Council (RGC) General Research Fund (No. 14209720).
Keywords
- Linux capability
- security analysis
- mapping