p9auth driver in Linux kernel

Preventing privilege escalation: The Plan 9 way!

Rahul Murmuria

Graduate Student, George Mason University

Related Work

• OpenSSH, qmail: A process for each activity/user
• SELinux: limits priviledges based on the user that spawned the process
• Linux Capability System: super user split into 30 different capabilities
• But what about su, login, apache and others who play with the setuid?

Preventing Privledge Escalation

• Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing privilege escalation. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (Washington, DC, August 04 - 08, 2003). USENIX Security Symposium. USENIX Association, Berkeley, CA, 16-16.
• Master-slave concept where only master process is priviledged
• Weakness: Onus of protecting the environment still with the application

Introducing: The p9auth driver

• Run everything as an unpriviledged user
• Host Owner's Factotum brokers keys on behalf of user
• More kernel involvement (performance?)
• Network scalable (although work in progress)
• p9cr is a Kerberos-like protocol that takes care of encripted exchange of auth information

Overview

Testing the cap device

Testing the cap device

cap_device workflow

Future Work

• Run factotum at boot: requires credentials in nvram
• Need a user agent to map string usernames to userid
• storing 1000 and 1001 in authserv is obviously not scalable!
• Linux Naming Services module so that 'adduser' and nsswitch.conf talk to authserv
• Weakness: Discussion on performance hit because of hashing in-kernel?
• Faster than NFS, Kerberos and/or LDAP auth?

Thoughtful Points

• Cloud: here we come!!
• No need for OpenID!
• Apps need not be trustworthy anymore
• Web apps can be given access to system resources in a controlled fashion
• Is this what Chrome OS is all about?
• Either way, please lookout for Glendix!

Ouestions?

Related Reading