While administrators scramble to fix the newly discovered Shellshock vulnerability, Harvard University researchers are putting the finishing touches on a scripting language built to mitigate the damage caused by such holes.
The language, called Shill, was designed to limit shell-based scripts so they can’t access resources beyond what is specifically needed for the task at hand.
“You want to give the script exactly the permissions it needs to get its job done,” said Scott Moore, a computer science doctoral student at Harvard who is one of the contributors to the Shill research project, led by Stephen Chong, an associate professor of computer science.
The team is working on a version of Shill for the FreeBSD Unix operating system and is mulling the idea of porting it to Linux. The team will also present the technology next week at the USENIX Symposium on Operating Systems Design and Implementation conference, in Broomfield, Colorado.
Shill follows the principle of least privilege, which stipulates that software shouldn’t posses more authority than what it needs to complete its job, Moore said.
Unix-based systems, such as Linux and Apple’s OS X, already come with rigorous permission systems, based on the user and any groups to which the user is assigned. The weakness in this approach is that any programs run by the user inherit all the permissions assigned to that user and that group.
“The idea of Shill is to give you control over what you want a program or script to access,” Moore said. For instance, if someone writes a script for the Bash shell to work within a particular directory, then Shill can ensure the script can access only that directory and not all of the directories that the user can access. A shell is a user interface, either a graphical interface or, in Bash’s case, a command line interface. A shell script is a set of commands, encapsulated in a file, that the shell understands and can execute automatically when the file is run by the operating system.
“Most scripting languages, such as Bash, don’t give you a way to figure out what the script is going to do. Everything is buried inside the code,” said Christos Dimoulas, a Harvard graduate student also on the development team. “Shill, in contrast, comes with specific interfaces that make it extremely easy to declare and enforce exactly what the script is going to do.”
Shill received a bump in publicity as news of the Shellshock vulnerability roiled through the Linux system administrator community. Shill could be used to prevent Shellshock-like vulnerabilities, Moore said.
Shellshock is a command injection vulnerability, in which a malicious attacker could inject their own commands into a Bash shell script, giving permissions to do whatever the user of that script has permissions to do on that system.
“It’s dangerous because this Bash script that you created to generate a Web page can also be used to launch a new shell or exploit other vulnerabilities in the system,” Moore said.
Shill would limit what can be done with any particular script. “Even if someone is able to inject some commands, they are still limited to the initial set of permissions that the script had in the beginning,” Moore said.
In a way, Shill is similar to SE Linux, a National Security Agency technology embedded in Linux that is widely used to restrict what programs can do on a computer. SE Linux is used to establish a computerwide policy, while Shill confines the policies to the particular script executing the task, Moore said.