ABSTRACT
Applying privilege separation in software development is an effective strategy for limiting the damage of an attack on a software system. In this approach, a software system is separated into a set of communicating protection domains of least privilege. In a privilege-separated system, even if one protection domain is hijacked by an attacker, the rest of the system may still function.
uPro is a tool that provides efficient and flexible enforcement of privilege separation. It adopts software-based fault isolation to implement protection domains in the user-space so that inter-domain communication is efficient. It provides a declarative language to describe an application's security architecture, facilitating developers to identify different architecture alternatives. The evaluation shows that real applications can be ported to uPro with enhanced security, acceptable performance, and declarative architectures.
- http://web.nvd.nist.gov/view/vuln/search. {Online; accessed on 17-April-2012}.Google Scholar
- http://httpd.apache.org/security/vulnerabilities_22.html. {Online; accessed on 13-April-2012}.Google Scholar
- Apparmor. http://wiki.apparmor.net.Google Scholar
- external data representation. http://tools.ietf.org/html/rfc4506.Google Scholar
- Mig - the mach interface generator. http://www.cs.cmu.edu/afs/cs/project/mach/public/www/doc/abstracts/mig.html.Google Scholar
- Selinux. http://selinuxproject.org.Google Scholar
- Abadi, M., Budiu, M., Erlingsson, Ú, and Ligatti, J. Control-flow integrity. In 12th ACM Conference on Computer and Communications Security (CCS) (2005), pp. 340--353. Google ScholarDigital Library
- Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. Preventing memory error exploits with wit. In IEEE Symposium on Security and Privacy (S&P) (2008), pp. 263--277. Google ScholarDigital Library
- Akritidis, P., Costa, M., Castro, M., and Hand, S. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In 18th Usenix Security Symposium (2009), pp. 51--66. Google ScholarDigital Library
- Ansel, J., Marchenko, P., Erlingsson, Ú, Taylor, E., Chen, B., Schuff, D., Sehr, D., Biffle, C., and Yee, B. Language-independent sandboxing of just-in-time compilation and self-modifying code. In ACM Conference on Programming Language Design and Implementation (PLDI) (2011), pp. 355--366. Google ScholarDigital Library
- Barth, A., Jackson, C., Reis, C., and Chrome, G. The security architecture of the Chromium browser. Tech. rep., 2008.Google Scholar
- Bittau, A., Marchenko, P., Handley, M., and Karp, B. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (2008), pp. 309--322. Google ScholarDigital Library
- Castro, M., Costa, M., Martin, J.-P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., and Black, R. Fast byte-granularity software fault isolation. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2009), pp. 45--58. Google ScholarDigital Library
- Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X. Automatic construction of jump-oriented programming shellcode (on the x86). In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (New York, NY, USA, 2011), ASIACCS '11, ACM, pp. 20--29. Google ScholarDigital Library
- Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. A safety-oriented platform for web applications. In IEEE Symposium on Security and Privacy (S&P) (2006), pp. 350--364. Google ScholarDigital Library
- Efstathopoulos, P., Krohn, M., Vandebogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, M. F., and Morris, R. Labels and event processes in the Asbestos operating system. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2005), pp. 17--30. Google ScholarDigital Library
- Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., and Necula, G. XFI: Software guards for system address spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006), pp. 75--88. Google ScholarDigital Library
- Erlingsson, Ú., and Schneider, F. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop (NSPW) (1999), ACM Press, pp. 87--95. Google ScholarDigital Library
- Ford, B., and Cox, R. Vx32: Lightweight user-level sandboxing on the x86. In USENIX Annual Technical Conference (2008), pp. 293--306. Google ScholarDigital Library
- Garfinkel, T. Traps and pitfalls: Practical problems in system call interposition based security tools. In NDSS (2003).Google Scholar
- Garlan, D., Monroe, R., and Wile, D. Acme: Architectural description of component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman, Eds. Cambridge University Press, 2000, pp. 47--68. Google ScholarDigital Library
- Google. The Chromium projects: Process models. http://www.chromium.org/developers/design-documents/process-models, 2008.Google Scholar
- Kiriansky, V., Bruening, D., and Amarasinghe, S. Secure execution via program shepherding. In 11th Usenix Security Symposium (2002), pp. 191--206. Google ScholarDigital Library
- Krishnamurthy, A., Mettler, A., and Wagner, D. Fine-grained privilege separation for web applications. In Proceedings of the 19th International Conference on World Wide Web (WWW '10) (2010), pp. 551--560. Google ScholarDigital Library
- Krohn, M., Efstathopoulos, P., Frey, C., Kaashoek, M. F., Kohler, E., Mazières, D., Morris, R., Osborne, M., Vandebogart, S., and Ziegler, D. Make least privilege a right (not a privilege). In Proceedings of the 10th Conference on Hot Topics in Operating Systems (HotOS) (2005). Google ScholarDigital Library
- Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. Information flow control for standard OS abstractions. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2007), pp. 321--334. Google ScholarDigital Library
- McCamant, S., and Morrisett, G. Evaluating SFI for a CISC architecture. In 15th Usenix Security Symposium (2006). Google ScholarDigital Library
- Medvidovic, N., and Taylor, R. A classification and comparison framework for software architecture description languages. IEEE Transactions on Software Engineering 26, 1 (2000), 70--93. Google ScholarDigital Library
- Mettler, A., Wagner, D., and Close, T. Joe-E: A security-oriented subset of Java. In Network and Distributed Systems Symposium (NDSS) (2010).Google Scholar
- Miller, M. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, 2006. Google ScholarDigital Library
- Morrisett, G., Walker, D., Crary, K., and Glew, N. From System F to typed assembly language. ACM Transactions on Programming Languages and Systems 21, 3 (May 1999), 527--568. Google ScholarDigital Library
- Myers, A., and Liskov, B. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering Methodology 9 (Oct. 2000), 410--442. Google ScholarDigital Library
- Neumann, P., and Watson, R. Capabilities revisited: A holistic approach to bottom-to-top assurance of trustworthy systems. In Fourth Layered Assurance Workshop (2010).Google Scholar
- Payer, M., and Gross, T. R. Fine-grained user-space security through virtualization. In Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (VEE) (2011), pp. 157--168. Google ScholarDigital Library
- Provos, N., Friedl, M., and Honeyman, P. Preventing privilege escalation. In 12th Usenix Security Symposium (2003), pp. 231--242. Google ScholarDigital Library
- Reis, C., and Gribble, S. D. Isolating web programs in modern browser architectures. In EuroSys (2009), pp. 219--232. Google ScholarDigital Library
- Rushby, J. Design and verification of secure systems. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (1981), pp. 12--21. Google ScholarDigital Library
- Rushby, J. Proof of separability: A verification technique for a class of a security kernels. In Symposium on Programming (1982), pp. 352--367. Google ScholarDigital Library
- Saltzer, J., and Schroeder, M. The protection of information in computer systems. Proceedings of The IEEE 63, 9 (Sept. 1975), 1278--1308.Google ScholarCross Ref
- Scott, K., and Davidson, J. Safe virtual execution using software dynamic translation. In Proceedings of the 18th Annual Computer Security Applications Conference (2002), ACSAC '02, pp. 209--218. Google ScholarDigital Library
- Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. Adapting software fault isolation to contemporary CPU architectures. In 19th Usenix Security Symposium (2010), pp. 1--12. Google ScholarDigital Library
- Small, C. A tool for constructing safe extensible C++ systems. In COOTS'97: Proceedings of the 3rd conference on USENIX Conference on Object-Oriented Technologies (COOTS) (1997), pp. 174--184. Google ScholarDigital Library
- Wahbe, R., Lucco, S., Anderson, T., and Graham, S. Efficient software-based fault isolation. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (New York, 1993), ACM Press, pp. 203--216. Google ScholarDigital Library
- Wallach, D. S., and Felten, E. W. Understanding java stack inspection. In IEEE Symposium on Security and Privacy (1998), pp. 52--63.Google ScholarCross Ref
- Watson, R., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: Practical capabilities for UNIX. In 19th Usenix Security Symposium (2010), pp. 29--46. Google ScholarDigital Library
- Witchel, E., Rhee, J., and Asanović, K. Mondrix: memory isolation for linux using Mondriaan memory protection. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2005), pp. 31--44. Google ScholarDigital Library
- Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy (S&P) (May 2009). Google ScholarDigital Library
- Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A. Secure program partitioning. ACM Transactions on Compututer Systems (TOCS) 20, 3 (2002), 283--328. Google ScholarDigital Library
- Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazières, D. Making information flow explicit in HiStar. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006), pp. 263--278. Google ScholarDigital Library
- Zheng, L., Chong, S., Myers, A., and Zdancewic, S. Using replication and partitioning to build secure distributed systems. In IEEE Symposium on Security and Privacy (S&P) (2003), pp. 236--250. Google ScholarDigital Library
Index Terms
- Enforcing user-space privilege separation with declarative architectures
Recommendations
Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution
Computer Security – ESORICS 2019AbstractWith the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the ...
Enforcing Least Privilege Memory Views for Multithreaded Applications
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityFailing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface ...
Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes
AbstractCyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can ...
Comments