Message in a Broken Bottle: Exploring the Linux IPC Attack Surface

Conference:  BlackHat USA 2021



The presentation discusses the architecture and security features of the DBus ecosystem, with a focus on the similarities between DBus and the Minix microkernel operating system.
  • DBus is an inter-process communication system used in Linux-based systems
  • DBus messages have a binary format and include header fields, a message body, and a signature header field
  • DBus messages can be used for method calls, replies, errors, and signals
  • DBus includes security features such as ownership rules on well-known names, unique bus names, and restrictions on which methods can be called
  • The presentation highlights the similarities between DBus and the Minix microkernel operating system
  • The proliferation of config files in DBus is a potential drawback
The presenter mentions struggling to remember the locations of all the config files in DBus and predicts using the presentation as a reference in the future.


There might be some truth to the joke that "Linux" is what the systemd operating system used to be called. Systemd is one of several system services that run in userspace and communicate via IPC. You could almost imagine it as a micro-kernel design, where most of the operating system is implemented as userspace processes. At the heart of it all is dbus-daemon - a "message bus" that is used for IPC between systemd and other system services, such as polkit, accountsservice, UDisks2, and aptd.The D-Bus ecosystem enables unprivileged processes to communicate securely with privileged system services, often with polkit playing a key role in authorizing actions that require higher privileges. In this presentation, I will explain the basics of D-Bus and show how some of the system services, such as polkit and accountsservice, fit together. Some aspects of the architecture, particularly those relating to security, are quite subtle, so there are sometimes loopholes in the design that enable an unprivileged user to either cause a denial of service or escalate privileges. I will demo two such LPE vulnerabilities that I found during the past year.



Post a comment

Related work

Authors: Andrew Block, Paul Czarkowski, Karena Angell, Scott Rigby

Conference:  Defcon 31
Authors: Ron Ben-Yizhak Security Researcher at Deep Instinct