PeX:Linux内核权限检查分析框架

需积分: 2 188 浏览量更新于2024-06-22 收藏 829KB PDF 举报

《A Permission Check Analysis Framework for Linux Kernel》是一篇关于Linux内核权限检查的深入研究论文。随着操作系统安全性的日益重要，尤其是对特权功能的访问控制，正确地添加和维护权限检查机制对于Linux内核开发者来说是一项巨大的挑战。Linux内核代码库庞大且复杂，包含数百万行代码，数百个权限检查，这使得确保其安全性变得愈发困难，因为新功能的添加和现有检查的验证都需要在不断增长的代码基础之上进行。论文的核心贡献是PeX（Permission eXaminer），一个针对Linux内核设计的静态权限检查错误检测工具。PeX的目标是解决内核源码中可能存在的缺失、不一致和冗余权限检查问题。它利用了一种名为KIRIN（Kernel Interface based Indirect Call Analysis）的创新、精确且可扩展的间接调用分析技术。KIRIN技术是基于内核编程范式的，它能够有效地处理复杂的间接调用关系，从而提高分析的准确性和效率。通过将内核源代码作为输入，PeX的工作流程包括解析代码结构，识别潜在的权限访问点，并对比它们与已定义的安全策略或模式。如果检测到任何不符合预期的权限请求或没有适当检查的情况，PeX会生成报告，帮助开发人员定位并修复这些问题。这种方法的优势在于它可以在编译阶段发现潜在的错误，减少了运行时可能的安全漏洞，有助于提升Linux内核的整体安全性。该研究的重要性体现在它不仅提供了实际的工具支持，还强调了在处理庞大和复杂代码库时，采用自动化工具进行静态分析在提升内核安全中的关键作用。通过应用PeX，开发团队可以节省大量时间和精力，确保新功能的添加不会引入未经验证的权限风险，同时也有助于持续监控和优化现有的权限管理机制。《A Permission Check Analysis Framework for Linux Kernel》是一篇关注Linux内核权限检查效率和安全性的技术文章，其提出的PeX框架为提高内核开发过程中的安全性和代码质量提供了一个创新且实用的解决方案。

1 static int do_readlinkat(int dfd, const char __user

pathname, char __user

buf, int bufsiz),→

2 {

3 ...

4 error = security_inode_readlink(path.dentry);

5 if (!error) {

6 touch_atime(&path);

7 error = vfs_readlink(path.dentry, buf, bufsiz);

8 }

9 ...

10 }

(a) Kernel LSM usage in system call

readlinkat

vfs_readlink

(Line 7) is protected by

security_inode_readlink

(Line 4). Both

pathname

and buf (Line 1 and Line 7) are user controllable.

1 int ksys_ioctl(unsigned int fd, unsigned int cmd,

unsigned long arg),→

2 {

3 ...

4 error = security_file_ioctl(f.file, cmd, arg);

5 if (!error)

6 error = do_vfs_ioctl(f.file, fd, cmd, arg);

7 ...

8 }

10 int xfs_readlink_by_handle(struct file

parfilp,

xfs_fsop_handlereq_t

hreq),→

11 {

12 ...

13 error = vfs_readlink(dentry, hreq->ohandle, olen);

14 ...

15 }

(b) Kernel LSM usage in system call

ioctl

. It calls

security_file_ioctl

(Line 4) to protect

do_vfs_ioctl

(Line 6). hreq->ohandle and olen are also user controllable.

Figure 2: LSM check errors discovered by PeX.

only

CAP_SYS_RAWIO

, resulting in a missing permission check

for

CAP_SYS_ADMIN

. In particular, PeX detects this bug as an

inconsistent permission check because the two paths disagree

with each other, and further investigation shows that one is

redundant and the other is missing.

3.2 LSM Permission Check Errors

The example of LSM permission check errors is related to

how LSM hooks are instrumented for two different system

calls readlinkat and ioctl.

Figure 2a shows the LSM usage in the

readlinkat

system

call. On its call path,

vfs_readlink

(Line 7) is protected by

the LSM hook

security_inode_readlink

(Line 4) so that a

LSM-based MAC mechanism, such as SELinux or AppArmor,

can be realized to allow or deny the vfs_readlink operation.

Figure 2b presents two sub-functions for the system call

ioctl

. Similar to the above case,

ioctl

calls

ksys_ioctl

which includes its own LSM hook

security_file_ioctl

(Line 4) before

do_vfs_ioctl

(Line 6). This is proper design,

and there is no problem so far. However, it turns out that there

is a path from

do_vfs_ioctl

xfs_readlink_by_handle

(Line 10), which eventually calls the same privileged func-

tion

vfs_readlink

(see Line 7 in Figure 2a and Line 13

in Figure 2b). While this function is protected by the

security_inode_readlink

LSM hook in

readlinkat

, that

is not the case for the path to the function going through

xfs_readlink_by_handle

. The problem is that SELinux main-

tains separate ‘allow’ rules for

read

and

ioctl

. With the miss-

ing LSM

security_inode_readlink

check, a user only with

1 struct file_operations {

2 ...

3 ssize_t (

read_iter) (struct kiocb

, struct

iov_iter

);,!

4 ssize_t (

write_iter) (struct kiocb

, struct

iov_iter

);,!

5 ...

6 }

(a) The Virtual File System (VFS) kernel interface.

const struct file_operations ext4_file_operations

{

. . .

.read_iter = ext4_file_read_iter,

.write_iter = ext4_file_write_iter,

. . .

}

syscall(1, fd, buffer, count)

write(fd, buffer, count)

SyS_write(fd, buffer, count)

vfs_write(fd.file, buffer, count, fd.pos)

file->f_op->write_iter(kio, iter);

User space

Kernel space

syscall dispatcher

const struct file_operations nfs_file_operations

{

. . .

.read_iter = nfs_file_read,

.write_iter = nfs_file_write,

. . .

}

(b) VFS indirect calls in Linux kernel.

Figure 3: Indirect call examples via the VFS kernel interface.

the ‘ioctl allow rule’ may exploit the

ioctl

system call to

trigger the

vfs_readlink

operation, which should only be

permitted by the different ‘read allow rule’.

The above two Capability and LSM examples show how

challenging it is to ensure correct permission checks. There

are no tools available for kernel developers to rely on to

ﬁgure out whether a particular function should be protected

by a permission check; and, (if so) which permission checks

should be used.

4 Challenges

This section discusses two critical challenges in designing

static analysis for detecting permission errors in Linux kernel.

4.1 Indirect Call Analysis in Kernel

The ﬁrst challenge lies in the frequent use of indirect calls in

Linux kernel and the difﬁculties in statically analyzing them

in a scalable and precise manner. To achieve a modular de-

sign, the kernel proposes a diverse set of abstraction layers

that specify the common interfaces to different concrete im-

plementations. For example, Virtual File System (VFS) [12]

abstracts a ﬁle system, thereby providing a uniﬁed and trans-

parent way to access local (e.g.,

ext4

) and network (e.g.,

nfs

)

storage devices. Under this kernel programming paradigm,

an abstraction layer deﬁnes an interface as a set of indirect

function pointers while a concrete module initializes these

pointers with its own implementations. For example, as shown

in Figure 3a, VFS abstracts all ﬁle system operations in a ker-

剩余15页未读，继续阅读

程序员徐师兄

粉丝: 1733
资源: 2497

PeX:Linux内核权限检查分析框架

Programming Guide for Linux USB Device.pdf

Android之permission权限列表[收集].pdf

iOS 8 Swift Programming Cookbook Solutions Examples for iOS Apps.pdf

<exception package="android.rk.RockVideoPlayer"> <permission name="android.permission.MANAGE_EXTERNAL_STORAGE"/> <permission name="android.permission.WRITE_EXTERNAL_STORAGE"/> <permission name="android.permission.READ_EXTERNAL_STORAGE"/> </exception>

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>

<exceptions> <exception package="android.rk.RockVideoPlayer"> <permission name="android.permission.MANAGE_EXTERNAL_STORAGE"/> <permission name="android.permission.WRITE_EXTERNAL_STORAGE"/> <permission name="android.permission.READ_EXTERNAL_STORAGE"/> </exception> </exceptions>

Write a framework for a permission system in Java

android.permission.READ_CONTACTS or android.permission.WRITE_CONTACTS

最新资源