2025年3月,国科大密码学院王跃武教授指导学生,在IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)会议上发表了题为“CapAssess: An Endeavor to Assess and Enhance Linux Capabilities Utilization”研究论文。论文对Linux Capability机制的设计实现和使用过程进行了评估,发现了一些安全隐患,并提出了改进方案。该研究工作得到了国家重点研发计划(2023YFB3105801)的支持。
Abstract:The Linux capabilities mechanism divides the root privileges to provide more fine-grained access control, but its effectiveness depends on proper implementation and configuration. The scattered enforcement of capabilities in the kernel and its sporadic usage in programs pose challenges in gathering assessment information. To address this, we propose three tools for diagnosing potential problems in its design, implementation, and utilization. First, we employ LLVM/Clang to examine the capabilities enforcement in the kernel to map capabilities checks to files. This is the first attempt to explore the interaction between capabilities and other mechanisms, such as UGO. Second, We propose a pattern-based method to identify the sensitive kernel functions protected by capabilities, quantifying the overlap problem of capabilities. Third, we employ a customized fuzzing approach to determine the minimal set of capabilities required by programs, offering insight for secure usage. Additionally, Our study is further guided by international access management standards, providing structured criteria for the assessment. Leveraging data collected by our tools, we identify imperfections of capabilities and reported to stakeholders. To the best of our knowledge, this is the first systematic assessment of Linux capabilities.
论文信息:Jingzi Meng, Yuewu Wang, Lingguang Lei, Jiwu Jing, Pingjian Wang, Chunjing Kou, and Peng Wang: “CapAssess: An Endeavor to Assess and Enhance Linux Capabilities Utilization.SANER 2025.(CCF-B)