Process Firewall: Protect Processes from Resource Access Attacks

Programs require a variety of resources from the system to function, e.g., a web server may need HTML files to serve HTTP requests. However, adversaries can try to trick victim programs into accessing malicious resources. For example, when a victim program wants to read from a file in /tmp, the adversary who has write access to /tmp can create a symbolic link to /etc/passwd. If the victim does not detect that the target of the symbolic link is a high-secrecy file, the victim may end up accessing and possibly leaking the high-secrecy password file, when it meant to access a low-secrecy temporary file.

We find that such problems are caused because of a disconnect between programmers who write code and OS distributors/administrators who frame system access control policies/configurations. To solve this problem, we developed Process Firewall - a mechanism that can inspect both the program and the system - to protect resource access. It bridges the gap between programs and the deployed system with a broader view and finer controls on resource accesses. It is modular and extensible to protect against new vulnerability classes.

We identify two specific causes for resource access vulnerabilities: (1) mismatches in expectations of adversary control of names and bindings between the program and the deployment and (2) insufficient filtering on adversary-controlled resource accesses. To combat the resource access attacks, we infer program's implicit expectations on resource accesses in an automatic way and enforce these "expectations" comprehensively using Process Firewall at runtime. For example, we use the following rule template to protect processes from unexpected adversary control:
pftables -i r.ept -d LOW -o DIR SEARCH -j DROP

Findings. Programmers have a lot of implicit expectations that are not conveyed to OS distributors/administrators (55% resource accesses are assumed to be safe). We show how single Process Firewall rules can block entire classes of vulnerabilities, and how we could generate rules in a principled way to harden programs without requiring programmer or OS distributor/administrator effort in our JIGSAW paper. All this for a performance overhead macro-benchmarks 2-8%. In addition, we can actually improve performance by replacing program checks with Process Firewall rules: Apache's requests per second are improved by 5-8%.

How the Process Firewall works?



Process Firewall is invoked only when a resource access is allowed by the OS authorization system. Then, Process Firewall will gather process information (e.g., entrypoints), system information (e.g., access control policy in use) and make decisions (i.e., allow or deny) based on its rules. The rules can be manually written or systematically generated, and pushed into kernel from the user space.

Download

Click here for the source code and follow the installation instructions.

Contact

Please contact Hayawardh Vijayakumar for questions about Process Firewall.

Support

We gratefully acknowledge support from NSF grant NSF-0905343 and AFOSR grant FA9550-12-1-8166

Acknowledgement

We would like to thank GrammaTech, Inc (www.grammatech.com) for providing their product CodeSurfer. We use CodeSurfer to evaluate our work. CodeSurfer is a tool to analyze deep structure of any compiled program. It provides APIs to access different elements of intermediate representation of the compiled program. In our work, we need to find filter functions. In order to verify our results of identifying filter functions we use CodeSurfer.