Tracing the Root of ``Rootable'' Processes

Amit Purohit
Computer Science Department, Stony Brook University

Vishnu Navda
Computer Science Department, Stony Brook University

Tzi-cker Chiueh
Computer Science Department, Stony Brook University

Most existing systems base authorization check for system resource access on the user ID of the running processes. Such systems are vulnerable to password stealing/cracking attacks. Recognizing that remote attackers usually do not have physical access to local machines, we propose a security architecture called NPTrace (Network-Wide Process Tracing), which requires a user to know the root password
and to prove that she is within some physical proximity in order to
exercise the root privilege. More specifically, NPTrace attaches a ``rootable'' attribute to every process, and propagates this attribute across machines on demand. A process is said to be
rootable if the system can trace back its origin to a process started by a user that has physically logged on from a specific set of hosts on the network. Only a root process with this rootable attribute enabled is allowed to perform privileged operations. The NPTrace architecture essentially exploits physical security to strengthen password-based security. This paper describes the design and
implementation of a NPTrace prototype, which features a distributed
mechanism to identify the entry point of a user into a network.
The prototype is implemented under Linux and has been tested under many scenarios. The system shows correct behavior in these tests with
negligible performance overhead.

Keywords: privileged process, process root tracing, password stealing, physical security

Read Paper Read Paper (in PDF)