Preventing Secret Leakage from fork(): Securing Privilege-Separated Applications

If trusted processes´ secrets or privileged system objects such as file handles are leaked to an untrusted process, the result could be the loss of secrecy and integrity of the data produced by the program. The advent of privilege-separated programs has led to an additional risk: sensitive data or system objects may be leaked when the trusted process of the privilege-separated application forks an untrusted child process. We have identified several channels by which information may flow to the child process: memory, the environment, memory mappings, filesystem information, and file descriptors. We propose fixes for each of these leaks. Some are handled by a novel static source code analysis of the target privilege-separated application´s source code, but some require modifications to the kernel or compiler. As a proof of concept, we applied our technique to privilege-separated OpenSSH running on the Linux 2.6 kernel. Using our tools, we were able to verify easily that it does not leak secrets from its trusted components to its untrusted components; all sensitive data is erased or downgraded appropriately before being inherited by untrusted components. This suggests that our method is a useful way of reasoning about privilege-separated programs.