Dates
Monday, June 27, 2022 - 11:00am to Monday, June 27, 2022 - 12:00pm
Location
New Computer Science (NCS) Room 120, and Zoom
Event Description


Abstract: In the digitized world, the demand for different software
functionality has grown immensely. Often this includes many unnecessary
features, system calls, and extra privileges to the program.
Consequently, bloated programs with extra privilege become the prominent
source of various attacks on computer systems. Programs with extra
privileges having exploitable vulnerabilities constitute a significant
security concern, leading to potential privilege escalation attacks.
Linux introduced a setuid (set user ID) feature that allows users to
execute a file with the permissions of a specified user. Files owned by
root thus get executed with superuser privilege, violating the principle
of least privilege. Setuid programs with vulnerabilities could have
devastating consequences. To improve the situation, Linux introduced
capabilities by dividing the superuser privilege into several distinct
privileges. To this point, superuser privilege becomes overkill for any
privileged operation. Despite the clear benefits of capabilities in
reducing the risk of privilege escalation, their actual use is scarce
and prolonged, and setuid programs are still prevalent in modern Linux
distributions. The lack of a systematic way for developers to identify
the capabilities needed by a given program is a contributing factor that
hinders their applicability.

In this report we present Decap, a binary code analysis tool that
automatically deprivileges programs by identifying the subset of
capabilities they require based on the system calls they may invoke.
This is made possible by our systematic effort in deriving a complete
mapping between all Linux system calls related to privileged operations
and the corresponding capabilities on which they depend. The results of
our experimental evaluation with a set of 201 setuid programs
demonstrate the effectiveness of Decap in meaningfully deprivileging
them, with half of them requiring fewer than 16 capabilities, and 69% of
them avoiding the use of the security-critical CAP_SYS_ADMIN capability.

Contact events [at] cs.stonybrook.edu for Zoom information.

Event Title
Ph.D. Research Proficiency Presentation: Mehdi Hasan, 'Privilege Reduction: Deprivileging Programs by Reducing Their Capabilities'