Summary:
This paper addresses the problem of exploits in privileged UNIX
services (like OpenSSH) that provide root access to attackers. The
proposed solution is privilege separation, a generic approach to limit
the scope of programming bugs. The idea is to reduce the amount of
code that runs as root without breaking the service. This can be
accomplished by splitting the application into two processes: a
privileged monitor and an unprivileged slave. The slave will interact
directly with the user, while the server executes privileged
operations on behalf of the slave. Exploits in the slave will
therefore not provide direct privileged access to an attacker. The
authors go on to describe the details of their implementation of
privilege separation in OpenSSH.
Pros:
- The authors actually implemented privilege separation on
OpenSSH. The result was effective and showed negligible
performance degradation.
- Making a privilege separated version of OpenSSH publicly
available is significant.
- In the OpenSSH case, the lines of privileged code is reduced by
2/3, so auditing it should be easier and more effective.
- Using a FSM in the monitor should make auditing easier.
- Privilege separation can be implemented together with other
security tools.
- The privilege separation methodology can be extended to other
platforms and services.
- It may be possible to reuse portions of the OpenSSH monitor when
creating privilege separated versions of other UNIX services.
Cons:
- A serious drawback is that not all applications can be privilege
separated as cleanly as the OpenSSH example. Sendmail, for example,
is much more complicated. The approach presented in the paper is
not generalizable.
- A FSM worked for OpenSSH's monitor, but the model may not be
complex enough (it lacks memory) for some services.
- The concept of privilege separation is not new.
Votes:
- Strong accept: 1
- Accept: 18
- Reject: 0
- Strong reject: 0