Decap: Deprivileging Programs by Reducing Their Capabilities

Linux enables non-root users to perform certain privileged operations through the use of the setuid (“set user ID”) mechanism. This represents a glaring violation of the principle of least privilege, as setuid programs run with full superuser privileges—with disastrous outcomes when vulnerabilities are found in them. Linux capabilities aim to improve this situation by splitting superuser privileges into distinct units that can be assigned individually. Despite the clear benefits of capabilities in reducing the risk of privilege escalation, their actual use is scarce, and setuid programs are still prevalent in modern Linux distributions. The lack of a systematic way for developers to identify the capabilities needed by a given program is a contributing factor that hinders their applicability. In this paper we present Decap, a binary code analysis tool that automatically deprivileges programs by identifying the subset of capabilities they require based on the system calls they may invoke. This is made possible by our systematic effort in deriving a complete mapping between all Linux system calls related to privileged operations and the corresponding capabilities on which they depend. The results of our experimental evaluation with a set of 201 setuid programs demonstrate the effectiveness of Decap in meaningfully deprivileging them, with half of them requiring fewer than 16 capabilities, and 69% of them avoiding the use of the security-critical CAP_SYS_ADMIN capability.

• Publication year

  2022

• Venue

  International Symposium on Recent Advances in Intrusion Detection

• Publication date

  2022-10-26

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/3545948.3545978
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• PrivGuard: Privacy Regulation Compliance Made Easier

  2022cited by this paper
• μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts

  2021cited by this paper
• MiniCon: Automatic Enforcement of a Minimal Capability Set for Security-Enhanced Containers

  2021cited by this paper
• Temporal System Call Specialization for Attack Surface Reduction

  2020cited by this paper
• sysfilter: Automated System Call Filtering for Commodity Software

  2020influential reference
• Slimium: Debloating the Chromium Browser with Feature Subsetting

  2020cited by this paper
• HFL: Hybrid Fuzzing on the Linux Kernel

  2020cited by this paper
• Saffire: Context-sensitive Function Specialization against Code Reuse Attacks

  2020cited by this paper
• Confine: Automated System Call Policy Generation for Container Attack Surface Reduction

  2020influential reference
• PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications

  2019cited by this paper
• PeX: A Permission Check Analysis Framework for Linux Kernel

  2019cited by this paper
• Nibbler: debloating binary shared libraries

  2019influential reference
• Configuration-Driven Software Debloating

  2019cited by this paper
• RAZOR: A Framework for Post-deployment Software Debloating

  2019cited by this paper
• Binary Control-Flow Trimming

  2019cited by this paper
• PrivAnalyzer: Measuring the Efficacy of Linux Privilege Use

  2019cited by this paper
• Debloating Software through Piece-Wise Compilation and Loading

  2018cited by this paper
• Transforming Code to Drop Dead Privileges

  2018cited by this paper
• Shredder: Breaking Exploits through API Specialization

  2018cited by this paper
• Effective Program Debloating via Reinforcement Learning

  2018cited by this paper
• FLEXDROID: Enforcing In-App Privilege Separation in Android

  2016cited by this paper
• Boxify: Full-fledged App Sandboxing for Stock Android

  2015cited by this paper
• Practical techniques to obviate setuid-to-root binaries

  2014cited by this paper
• Declarative, Temporal, and Practical Programming with Capabilities

  2013cited by this paper
• AdDroid: privilege separation for applications and advertisers in Android

  2012cited by this paper
• Parallel and Distributed Computing and Networks

  2011cited by this paper
• Capsicum: Practical Capabilities for UNIX

  2010cited by this paper
• System Call Monitoring Using Authenticated System Calls

  2006cited by this paper
• Side Effects Are Not Sufficient to Authenticate Software

  2004cited by this paper
• Implementing a secure setuid program

  2004cited by this paper
• USENIX Association Proceedings of the FREENIX Track : 2003 USENIX Annual

  2003cited by this paper
• Improving Host Security with System Call Policies

  2003cited by this paper
• Preventing Privilege Escalation

  2003cited by this paper
• Understanding the Linux Kernel

  2000cited by this paper
• The protection of information in computer systems

  1975cited by this paper

• In Pursuit of Lean OS Kernels: Improving Configuration-Based Debloating

  2025cites this paper
• Leash: A Transparent Capability-Based Sandboxing Supervisor for Unix

  2025cites this paper
• AMPLE: Fine-grained File Access Policies for Server Applications

  2025cites this paper
• BeaCon: Automatic container policy generation using environment-aware dynamic analysis

  2025cites this paper
• CapAssess: An Endeavor to Assess and Enhance Linux Capabilities Utilization

  2025influential citation
• A Path Sensitive and Scalable Approach for Mapping the Capabilities Required for Linux Kernel Defined System Calls Using Static Analysis Techniques

  2024influential citation
• Implementing the principle of least administrative privilege on operating systems: challenges and perspectives

  2024cites this paper
• AnimateDead: Debloating Web Applications Using Concolic Execution

  2023cites this paper
• Confine: Fine-grained system call filtering for container attack surface reduction

  2023cites this paper
• IOSPReD: I/O Specialized Packaging of Reduced Datasets and Data-Intensive Applications for Efficient Reproducibility

  2023influential citation
• C2C: Fine-grained Configuration-driven System Call Filtering

  2022cites this paper
• This paper is included

  year unknowncites this paper