Message in a Broken Bottle: Exploring the Linux IPC Attack Surface

Presented at Black Hat Europe 2021, Nov. 10, 2021, 3:20 p.m. (40 minutes)

There might be some truth to the joke that "Linux" is what the systemd operating system used to be called. Systemd is one of several system services that run in userspace and communicate via IPC. You could almost imagine it as a micro-kernel design, where most of the operating system is implemented as userspace processes. At the heart of it all is dbus-daemon - a "message bus" that is used for IPC between systemd and other system services, such as polkit, accountsservice, UDisks2, and aptd.

The D-Bus ecosystem enables unprivileged processes to communicate securely with privileged system services, often with polkit playing a key role in authorizing actions that require higher privileges. In this presentation, I will explain the basics of D-Bus and show how some of the system services, such as polkit and accountsservice, fit together. Some aspects of the architecture, particularly those relating to security, are quite subtle, so there are sometimes loopholes in the design that enable an unprivileged user to either cause a denial of service or escalate privileges. I will demo two such LPE vulnerabilities that I found during the past year.


Presenters:

  • Kevin Backhouse - Security researcher, Github
    Kevin Backhouse (@kevin_backhouse) is a member of the GitHub Security Lab, where he focuses on finding vulnerabilities in open source projects. He became a security researcher in 2017, after working as a software developer for approximately 15 years. His current focus is on helping to improve the security of his favorite operating system, Ubuntu.

Links:

Similar Presentations: