Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software

TL;DR

This paper studies security bugs called Compartment Interface Vulnerabilities (CIVs) that arise when software compartments are not properly secured at their interfaces, proposing a specialized fuzzer to detect these vulnerabilities.

Contribution

It provides a taxonomy of CIVs, demonstrates their prevalence through a large-scale fuzzing study, and offers guidelines for designing secure compartment interfaces.

Findings

629 vulnerabilities found across 25 applications

CIVs are widespread and affect all compartmentalization approaches

Addressing CIVs requires more than simple checks, involving systematic detection and mitigation strategies.

Abstract

Least-privilege separation decomposes applications into compartments limited to accessing only what they need. When compartmentalizing existing software, many approaches neglect securing the new inter-compartment interfaces, although what used to be a function call from/to a trusted component is now potentially a targeted attack from a malicious compartment. This results in an entire class of security bugs: Compartment Interface Vulnerabilities (CIVs). This paper provides an in-depth study of CIVs. We taxonomize these issues and show that they affect all known compartmentalization approaches. We propose ConfFuzz, an in-memory fuzzer specialized to detect CIVs at possible compartment boundaries. We apply ConfFuzz to a set of 25 popular applications and 36 possible compartment APIs, to uncover a wide data-set of 629 vulnerabilities. We systematically study these issues, and extract numerous insights on the prevalence of CIVs, their causes, impact, and the complexity to address them. We stress the critical importance of CIVs in compartmentalization approaches, demonstrating an attack to extract isolated keys in OpenSSL and uncovering a decade-old vulnerability in sudo. We show, among others, that not all interfaces are affected in the same way, that API size is uncorrelated with CIV prevalence, and that addressing interface vulnerabilities goes beyond writing simple checks. We conclude the paper with guidelines for CIV-aware compartment interface design, and appeal for more research towards systematic CIV detection and mitigation.