Department of Electrical Engineering and Computer Science
Syracuse University

Chroot Sandbox Lab

Overview   Requirement (Mandatory/Bonus)    Preparation    Due/Submission    Helpful Documents    Resources

 

Overview

In computer security, a sandbox is a safe place for running semi-trusted programs or scripts, often originating from a third party. The sandbox security model provides a tightly-controlled set of resources for foreign programs to run in, such as a small "scratch-space" on the disk and a section of memory to carry out instructions. The sandbox may allow some user interaction, and the user may be prompted to allow or disallow certain actions as the program runs.

Some examples of the sandbox security model:

* In the Java system, most applets are run in a sandbox that provides (at minimum) a rectangle of screen space and optionally some disk space and memory (at the user's permission).
* On Unix systems, one of the ways to construct a sandbox is to use the "chroot" command. One common kind of sandbox built this way is known as a "chroot jail". 

In this project, you are required to analyze the "chroot" command in smx, find out the security hole in the program, exploit this security vulnerability to gain root privilege. 


Requirement

"chroot" changes the root directory to that specified in path. This directory will be used for path names beginning with /. The root directory is inherited by all children of the current process. If a "chroot-ed" program has been handed off in this way and is confined to a subdirectory, then any damage it may do upon execution is confined to that directory. In other words, chroot creates an environment in which the actions of an untrusting process are restricted according to a security policy. Such restriction protects the system from untrusting applications.

The chroot() UNIX system call changes the root directory of whatever process calls it. In many unix system, it can be used only by root. However in some system, any user can execute chroot, which can lead to system users to gain unauthorized privileges to get a root shell.

We want to see a working demonstration of your exploitable implementation:

Here is what you are expected to do:

Mandatory Requirement

    (1) Read source code (/smx/src/commands/simple/chroot.c, su.c & /smx/src/fs/stadir.c) and figure out why there is vulnerability in this program and identify the corresponding codes. (Please note that these files are included in project3.tar file)
    (2) Implement attack procedure to show how can you take advantage of this vulnerability to obtain a root shell.
    (3) Give a solution in report how to eliminate or at least reduce the chance of this vulnerability. (You need not implement this solution)

Bonus Requirement

    (4) Implement the solution to make attack fail. (chroot should be still be executed by any user)

Remember, you need to demonstrate your attack & fix to the TA.


Preparations for your attack

Download project3.tar and save it in your smx/ directory. Execute following steps:
    apollo: cd /home/seed/ecslogin_name/smx
    apollo: tar xvf project3.tar
    apollo: cp su.c src/commands/simple
    apollo: cp stadir.c src/fs
    apollo: cp chroot.c src/tools
    apollo: cd src/commands/simple
    apollo: touch su.c
    apollo: make
    apollo: cd ../../fs
    apollo: touch stadir.c
    apollo: make
    apollo: cd ../tools
    apollo: mcc chroot.c –o chroot
    apollo: minix
    Solaris-Minix Release2.0 Version 0
    noname login: root
    Password: *****
    ! sunread chroot>/usr/bin/chroot
    ! chmod 755 /usr/bin/chroot
    ! sunread ../commands/simple/bin/su>/bin/su
    ! chmod 4755 /bin/su
    ! adduser ordinary_user other /usr/ordinary_user
    ! passwd ordinary_user
    ! exit  

    noname login: ordinary_user                   (this is the ordinary user that you created, not a root)
    Password: *****
    $ Begin your work

Project Due Date & Submission

Due: Noon, 04/04/2005 (Monday) (together with Project 4's report)
Submission:
    (1) Please submit a hard copy of your report on how you implemented the attack before the class on Monday 
    (2) Please include the grading sheet as the first page of your report
    (3) You need to demonstrate your attack to TA, so be prepared on answer questions.
    (4) Please sign up a demonstration time slot with TA (you could fill out the time slot on the door of CST 4-284). Each person need to sign a specific timeslot (even if you work in teams, you should demonstrate your attacks individually. Here is the demonstration schedule. 
Special notice:
    If found plagiarism / copying other person's work, you will get a zero for your project 

Helpful Documents

Manual Page of "chroot" [PDF]
Minix Code Hierarchy [PDF]
Security Features of Minix [PDF]

Resources on Sandboxing

Sandboxing: information from answers.com
Breaking out of a chroot() jail
Sandboxing Application
Computer Security in Real World

Updated: 02/28/2005