Tracing the root of "rootable" processes

In most existing systems, the authorization check for system resource access is based on the user ID of the running processes. Such systems are vulnerable to password stealing/cracking attacks. Considering that remote attackers usually do not have physical access to local machines, we propose a security architecture called NPTrace (network-wide process tracing), which requires a user to know the root password and to prove that he is within some physical proximity in order to exercise the root privilege. More specifically, NPTrace attaches a privilege-level attribute to every process, and propagates this attribute across machines on demand. The privilege-level attribute of a process is set to rootable if the system can trace back its origin to a process started by a user that has physically logged on from a specific set of hosts on the network. Only a root process with this privilege-level attribute set to rootable, is allowed to perform privileged operations. The NPTrace architecture essentially exploits physical security to strengthen password-based security. This paper describes the design and implementation of the NPTrace prototype, which features a distributed mechanism to identify the entry point of a user into a network. The prototype is implemented under Linux and has been tested under many attack scenarios. The system shows correct behavior in these tests with negligible performance overhead.