LiCA: A Fine-grained and Path-sensitive Linux Capability Analysis Framework

The capability mechanism in Linux-based systems is designed for dispersing the root privileges into a set of more refined capabilities, making programs gain no-more-necessary privileges. However, it is challenging to check the necessity and sufficiency of capabilities assigned to programs due to the highly complicated call chains invoked in practice. Inappropriate capability assignment brings threats to the systems. For example, over-privileged programs could allow an attacker to misuse root privileges, while under-privileged programs may incur runtime errors. In this paper, we propose a new Linux capability analysis framework called LiCA to find necessary and sufficient capabilities for programs effectively. LiCA presents fine-grained and path-sensitive code flow analysis based on LLVM to construct accurate mappings between system calls and their capabilities. In particular, we solve the constraint equations along each path from a given system call to individual capabilities and strategically overcome the path explosion problem. Our experiments show that LiCA can correctly find necessary capabilities for the Linux utility programs (e.g., ping and tcpdump) and the public programs from GitHub. By comparing the capabilities claimed by program developers and the results from LiCA, we identify a batch of programs requiring more capabilities than necessary, even root privileges. Therefore, LiCA could help those third-party developers validate their programs' capability setting to achieve the least privilege principle.