Code one C Manuel d'utilisateur télécharger pdf (Page 9)

unique programming error. This improvement greatly re-

duced the number of error traces that we had to examine

manually in Figure 7.

To evaluate the usability of MOPS for programmers that

are not MOPS developers, we asked three undergraduate

and one graduate Computer Science students to run these

experiments independently. The students were able to ﬁn-

ish the experiments within a few weeks in their spare time,

and the learning curve was not too high. This provides ev-

idence that these enhancements to MOPS have made it

fairly easy to use.

4. Findings

In this section we describe several security weaknesses

in the programs that we found during our experiments.

4.1. Failure to Drop Privilege Completely

In the past several programs have had vulnerabilities be-

cause they failed to drop privilege securely. This is partly

due to the poor design of the system calls that set user IDs

— they have confusing semantics, different behaviors on

different platforms, and insufﬁcient or even wrong docu-

mentation [7]. As a result, they are susceptible to misuse,

which has caused numerous security vulnerabilities.

ssh in OpenSSH ssh is a client that allows a user to

log into a server via the SSH protocol. ssh is installed

as a setuid-root program on some systems

. ssh may need

to execute another program, which is ssh-askpass by de-

fault but is user selectable, to read the passphrase of the

user’s private key. Since this program is not trusted, ssh

needs to drop its root privilege permanently before execut-

ing the program. The code is “seteuid(getuid());

setuid(getuid());”. This code fulﬁlls the objec-

tive on BSD where OpenSSH was originally developed,

but behaves unexpectedly on Linux. This is because the

semantics of setuid differs between BSD and Linux.

On BSD setuid(new

uid) sets all the real uid, effec-

tive uid, and saved uid to new

uid. On Linux, however,

the behavior of this call depends on whether the effec-

tive uid is root: if so, the call sets all three user IDs to

new

uid; otherwise, the call sets only the real and effec-

tive uid to new

uid but leaves the saved uid unchanged.

Before ssh executes the above code, its real uid is non-

root and its effective uid and saved uid are root. The

ﬁrst call, seteuid(getuid()), sets the effective uid

to non-root. Therefore, the outcome of the second call,

setuid(getuid()), depends on the OS. On BSD the

ssh needs root privilege to read the local host key and to generate the

digital signature required during the host-based authentication with SSH

protocol version 2. A site can either install ssh setuid-root or conﬁgure

it to use a setuid-root helper, ssh-keysign.

call sets the saved uid to non-root, but on Linux the call

keeps the root saved uid unchanged.

This weakness suggests that the programmer misun-

derstands how the setuid-like system calls work. In

fact, if we remove the ﬁrst call, ssh would behave as

desired on both Linux and BSD. The extra seteuid

(getuid()) was introduced in recent versions of

OpenSSH (an old version, 2.5.2, does not have it) and

the programmers seem to think that it makes the program

safer, but in fact it introduces a weakness. It would be very

easy to overlook this subtle weakness in a manual audit,

which demonstrates the utility of MOPS.

Although leaving a privileged user ID in the saved uid

before executing an untrusted program does not result in

an immediate exploit by itself (because the OS will set the

saved uid to the unprivileged effective uid before execut-

ing the program), it is an indication of weakness in the

program because the programmers have likely intended

to drop privilege permanently. This may cause two prob-

lems. First, since the programmers think that they have

permanently dropped privilege, they may freely do cer-

tain actions that are safe without privilege but risky with

privilege. Second, if an adversary causes a buffer over-

run in the program, he may inject code into the pro-

gram to regain privilege in the saved uid (by calling

seteuid(saved

uid)). The more code that runs after

the failed attempt to drop privilege permanently, the more

potential threat the program faces.

ssh-keysign in OpenSSH ssh-keysign is a setuid-root

program that accesses the local host keys and gener-

ates a digital signature. It starts with root privilege in

its effective uid and saved uid because it needs it to

access the local host keys, which are accessible only

to root. After ssh-keysign opens the host key ﬁles,

it intends to drop root privilege permanently before

doing complicated cryptographic operations. Unfortu-

nately, it fails to drop root privilege from the saved

uid on Linux because it calls “seteuid(getuid());

setuid(getuid());”, like ssh as discussed earlier.

Therefore, the ssh-keysign process will execute compli-

cated, possibly third-party cryptographic code with root

privilege in the saved uid. If an adversary can cause a

buffer overrun in the code, as happened to the RSAREF2

library in the past [17], he may take control of the process

and then regain privilege.

suexec in Apache suexec is a setuid-root program that

executes another program using a given user ID and group

ID. The calling convention is as follows.

suexec uid gid program args

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Commentaires sur ces manuels

Pas de commentaire

Code one C Manuel d'utilisateur Page 9

Commentaires sur ces manuels

Produits connexes et manuels pour Détecteurs de fumée Code one C