Chroot Hardening Through System Calls Modification

Afzalul Haque, Amrit Ayyar, Sanjay Singh

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The chroot system call implemented in Unix-like (or∗nix) OSes changes a view of the file structure for the calling process and its children by changing the root directory for them. It was intended as an administrative tool and not a security one and the Linux implementation follows the Portable Operating System Interface (POSIX) standards. However, it is used as a security tool extensively. Difference in intended use and actual use of chroot in Linux implementation has resulted in labeling of some features as security vulnerabilities. Vulnerabilities could allow malicious users to completely circumvent the security aspect of chroot. The methods used in this paper removes the cause of those vulnerabilities which results in a more secure construct. Some of those are: not changing of the Current Working Directory (CWD), not closing file descriptors and allowing mounting of file systems inside the newly created environment. In this paper we try to address these specific issues by modifying the system calls in the system call table and more generally, present a solution with a good design. The proposed solutions aims to improve the design of chroot when used as a security construct.

Original languageEnglish
Title of host publicationProceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages491-496
Number of pages6
ISBN (Print)9781538617182
DOIs
Publication statusPublished - 20-08-2018
Event8th International Conference Confluence on Cloud Computing, Data Science and Engineering, Confluence 2018 - Noida, Uttar Pradesh, India
Duration: 11-01-201812-01-2018

Publication series

NameProceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018

Conference

Conference8th International Conference Confluence on Cloud Computing, Data Science and Engineering, Confluence 2018
CountryIndia
CityNoida, Uttar Pradesh
Period11-01-1812-01-18

Fingerprint

Directories
Hardening
Vulnerability
Computer operating systems
Mountings
Labeling
Interfaces (computer)
Linux
File System
Operating Systems
Descriptors
Table
Roots

All Science Journal Classification (ASJC) codes

  • Modelling and Simulation
  • Health Informatics
  • Artificial Intelligence
  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Cite this

Haque, A., Ayyar, A., & Singh, S. (2018). Chroot Hardening Through System Calls Modification. In Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018 (pp. 491-496). [8442709] (Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CONFLUENCE.2018.8442709
Haque, Afzalul ; Ayyar, Amrit ; Singh, Sanjay. / Chroot Hardening Through System Calls Modification. Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 491-496 (Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018).
@inproceedings{17074beee86b419b939677457e93bb3c,
title = "Chroot Hardening Through System Calls Modification",
abstract = "The chroot system call implemented in Unix-like (or∗nix) OSes changes a view of the file structure for the calling process and its children by changing the root directory for them. It was intended as an administrative tool and not a security one and the Linux implementation follows the Portable Operating System Interface (POSIX) standards. However, it is used as a security tool extensively. Difference in intended use and actual use of chroot in Linux implementation has resulted in labeling of some features as security vulnerabilities. Vulnerabilities could allow malicious users to completely circumvent the security aspect of chroot. The methods used in this paper removes the cause of those vulnerabilities which results in a more secure construct. Some of those are: not changing of the Current Working Directory (CWD), not closing file descriptors and allowing mounting of file systems inside the newly created environment. In this paper we try to address these specific issues by modifying the system calls in the system call table and more generally, present a solution with a good design. The proposed solutions aims to improve the design of chroot when used as a security construct.",
author = "Afzalul Haque and Amrit Ayyar and Sanjay Singh",
year = "2018",
month = "8",
day = "20",
doi = "10.1109/CONFLUENCE.2018.8442709",
language = "English",
isbn = "9781538617182",
series = "Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "491--496",
booktitle = "Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018",
address = "United States",

}

Haque, A, Ayyar, A & Singh, S 2018, Chroot Hardening Through System Calls Modification. in Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018., 8442709, Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018, Institute of Electrical and Electronics Engineers Inc., pp. 491-496, 8th International Conference Confluence on Cloud Computing, Data Science and Engineering, Confluence 2018, Noida, Uttar Pradesh, India, 11-01-18. https://doi.org/10.1109/CONFLUENCE.2018.8442709

Chroot Hardening Through System Calls Modification. / Haque, Afzalul; Ayyar, Amrit; Singh, Sanjay.

Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 491-496 8442709 (Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Chroot Hardening Through System Calls Modification

AU - Haque, Afzalul

AU - Ayyar, Amrit

AU - Singh, Sanjay

PY - 2018/8/20

Y1 - 2018/8/20

N2 - The chroot system call implemented in Unix-like (or∗nix) OSes changes a view of the file structure for the calling process and its children by changing the root directory for them. It was intended as an administrative tool and not a security one and the Linux implementation follows the Portable Operating System Interface (POSIX) standards. However, it is used as a security tool extensively. Difference in intended use and actual use of chroot in Linux implementation has resulted in labeling of some features as security vulnerabilities. Vulnerabilities could allow malicious users to completely circumvent the security aspect of chroot. The methods used in this paper removes the cause of those vulnerabilities which results in a more secure construct. Some of those are: not changing of the Current Working Directory (CWD), not closing file descriptors and allowing mounting of file systems inside the newly created environment. In this paper we try to address these specific issues by modifying the system calls in the system call table and more generally, present a solution with a good design. The proposed solutions aims to improve the design of chroot when used as a security construct.

AB - The chroot system call implemented in Unix-like (or∗nix) OSes changes a view of the file structure for the calling process and its children by changing the root directory for them. It was intended as an administrative tool and not a security one and the Linux implementation follows the Portable Operating System Interface (POSIX) standards. However, it is used as a security tool extensively. Difference in intended use and actual use of chroot in Linux implementation has resulted in labeling of some features as security vulnerabilities. Vulnerabilities could allow malicious users to completely circumvent the security aspect of chroot. The methods used in this paper removes the cause of those vulnerabilities which results in a more secure construct. Some of those are: not changing of the Current Working Directory (CWD), not closing file descriptors and allowing mounting of file systems inside the newly created environment. In this paper we try to address these specific issues by modifying the system calls in the system call table and more generally, present a solution with a good design. The proposed solutions aims to improve the design of chroot when used as a security construct.

UR - http://www.scopus.com/inward/record.url?scp=85053659162&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85053659162&partnerID=8YFLogxK

U2 - 10.1109/CONFLUENCE.2018.8442709

DO - 10.1109/CONFLUENCE.2018.8442709

M3 - Conference contribution

SN - 9781538617182

T3 - Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018

SP - 491

EP - 496

BT - Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Haque A, Ayyar A, Singh S. Chroot Hardening Through System Calls Modification. In Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 491-496. 8442709. (Proceedings of the 8th International Conference Confluence 2018 on Cloud Computing, Data Science and Engineering, Confluence 2018). https://doi.org/10.1109/CONFLUENCE.2018.8442709