research-article

Public Access

Program-mandering: Quantitative Privilege Separation

Authors:

Frank Capobianco,

Stephen McCamant,

Gang TanAuthors Info & Claims

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 1023 - 1040

https://doi.org/10.1145/3319535.3354218

Published: 06 November 2019 Publication History

Abstract

Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.

Supplementary Material

WEBM File (p1023-zeng.webm)

Download
117.14 MB

References

[1]

David M. Beazley. 1997. SWIG Users Manual: Version 1.1.

[2]

Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. 309--322.

[3]

David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In 13th Usenix Security Symposium. 57--72.

[4]

Scott A. Carr and Mathias Payer. 2017. DataShield: Configurable Data Confidentiality and Integrity. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 193--204.

[5]

Stephen Chong, Jed Liu, Andrew Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007. Secure Web Applications via Automatic Partitioning. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP). 31--44.

Digital Library

[6]

David Clark, Sebastian Hunt, and Pasquale Malacaria. 2007. A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security, Vol. 15, 3 (2007), 321--371.

Digital Library

[7]

David D. Clark and D. R. Wilson. 1987. A Comparison of Commercial and Military Computer Security Policies. In IEEE Symposium on Security and Privacy (S&P). 184--195.

[8]

Xinshu Dong, Hong Hu, Prateek Saxena, and Zhenkai Liang. 2013. A Quantitative Evaluation of Privilege Separation in Web Browser Designs. In 18th European Symposium on Research in Computer Security (ESORICS). 75--93.

[9]

Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. 1987. The Program Dependence Graph and its Use in Optimization. ACM Transactions on Programming Languages and Systems, Vol. 9, 3 (July 1987), 319--349.

Digital Library

[10]

Joseph A. Goguen and José Meseguer. 1982. Security Policies and Security Models. In IEEE Symposium on Security and Privacy (S&P). 11--20.

[11]

Khilan Gudka, Robert N. M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, and Alex Richardson. 2015. Clean Application Compartmentalization with SOAAP. In 22nd ACM Conference on Computer and Communications Security (CCS). 1016--1031.

[12]

Douglas Kilpatrick. 2003. Privman: A library for partitioning applications. In USENIX Annual Technical Conference, FREENIX track. 273--284.

[13]

Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O'Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David M. Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter R. Pietzuch. 2017. Glamdring: Automatic Application Partitioning for Intel SGX. In USENIX Annual Technical Conference (ATC). 285--298.

[14]

Shen Liu, Gang Tan, and Trent Jaeger. 2017. PtrSplit: Supporting General Pointers in Automatic Program Partitioning. In 24th ACM Conference on Computer and Communications Security (CCS). 2359--2371.

Digital Library

[15]

Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation. In 22nd ACM Conference on Computer and Communications Security (CCS). 1607--1619.

[16]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoffrey Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: building customized program analysis tools with dynamic instrumentation. In ACM Conference on Programming Language Design and Implementation (PLDI). 190--200.

Digital Library

[17]

Stephen McCamant and Michael D. Ernst. 2008. Quantitative information flow as network flow capacity. In ACM Conference on Programming Language Design and Implementation (PLDI). 193--205.

[18]

Andrew Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering Methodology, Vol. 9 (Oct. 2000), 410--442. Issue 4.

Digital Library

[19]

Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing privilege escalation. In 12th Usenix Security Symposium. 231--242.

[20]

Konstantin Rubinov, Lucia Rosculete, Tulika Mitra, and Abhik Roychoudhury. 2016. Automated partitioning of Android applications for trusted execution environments. In International Conference on Software engineering (ICSE). 923--934.

Digital Library

[21]

Jerome Saltzer and Michael Schroeder. 1975. The Protection of Information in Computer Systems. Proceedings of The IEEE, Vol. 63, 9 (Sept. 1975), 1278--1308.

[22]

Umesh Shankar, Trent Jaeger, and Reiner Sailer. 2006. Toward Automated Information-Flow Integrity Verification for Security-Critical Applications. In Network and Distributed System Security Symposium (NDSS). 267--280.

[23]

Geoffrey Smith. 2015. Recent Developments in Quantitative Information Flow (Invited Tutorial). In IEEE Symposium on Logic in Computer Science (LICS). 23--31.

Digital Library

[24]

Chengyu Song, Byoungyoung Lee, Kangjie Lu, William Harris, Taesoo Kim, and Wenke Lee. 2016. Enforcing Kernel Security Invariants with Data Flow Integrity. In Network and Distributed System Security Symposium (NDSS).

[25]

Gang Tan. 2017. Principles and Implementation Techniques of Software-Based Fault Isolation. Foundations and Trends in Privacy and Security, Vol. 1, 3 (2017), 137--198.

Digital Library

[26]

R. Wahbe, S. Lucco, T. Anderson, and S. Graham. 1993. Efficient Software-Based Fault Isolation. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP). ACM Press, New York, 203--216.

[27]

Yang Liu Yongzheng Wu, Jun Sun and Jin Song Dong. 2013. Automatically partition software into least privilege components using dynamic data dependency analysis. In International Conference on Automated Software Engineering (ASE). 323--333.

[28]

Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, and Andrew Myers. 2002. Secure program partitioning. ACM Transactions on Compututer Systems (TOCS), Vol. 20, 3 (2002), 283--328.

Digital Library

[29]

Lantian Zheng, Stephen Chong, Andrew Myers, and Steve Zdancewic. 2003. Using Replication and Partitioning to Build Secure Distributed Systems. In IEEE Symposium on Security and Privacy (S&P). 236--250.

Cited By

Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Yang YHuang WKaoudis KDautenhahn N(2023)Whole-Program Privilege and Compartmentalization Analysis with the Object-Encapsulation Model2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00018(1-12)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00018
Khan AXu DTian D(2023)EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179285(2990-3007)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179285
Show More Cited By

Index Terms

Program-mandering: Quantitative Privilege Separation
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Dynamic analysis

Recommendations

PtrSplit: Supporting General Pointers in Automatic Program Partitioning
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Partitioning a security-sensitive application into least-privileged components and putting each into a separate protection domain have long been a goal of security practitioners and researchers. However, a stumbling block to automatically partitioning C/...
Safe and Efficient Implementation of a Security System on ARM using Intra-level Privilege Separation

Security monitoring has long been considered as a fundamental mechanism to mitigate the damage of a security attack. Recently, intra-level security systems have been proposed that can efficiently and securely monitor system software without any ...
Enhanced Privilege Separation for Commodity Software on Virtualized Platform
ICPADS '10: Proceedings of the 2010 IEEE 16th International Conference on Parallel and Distributed Systems

Conventional privilege separation can effectively reduce the TCB size by granting privilege to only the privileged compartments. However, since they this approach relies on process isolation to ensure security assurance, malware exploiting against ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

November 2019

2755 pages

ISBN:9781450367479

DOI:10.1145/3319535

General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Fundation
Intel Inc.

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11 - 15, 2019

London, United Kingdom

Acceptance Rates

CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
1,311
Total Downloads

Downloads (Last 12 months)211
Downloads (Last 6 weeks)23

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Yang YHuang WKaoudis KDautenhahn N(2023)Whole-Program Privilege and Compartmentalization Analysis with the Object-Encapsulation Model2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00018(1-12)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00018
Khan AXu DTian D(2023)EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179285(2990-3007)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179285
Huang JHan HXu FChen B(2023)SAPPX: Securing COTS Binaries with Automatic Program Partitioning for Intel SGX2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00016(148-159)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00016
Liang KTan JZeng DHuang YHuang XTan G(2023)ABSLearn: a GNN-based framework for aliasing and buffer-size information retrievalPattern Analysis and Applications10.1007/s10044-023-01142-226:3(1171-1189)Online publication date: 19-Feb-2023
https://doi.org/10.1007/s10044-023-01142-2
Zhou XLi JZhang WZhou YShen WRen KBromberg YKermarrec AKozyrakis C(2022)OPECProceedings of the Seventeenth European Conference on Computer Systems10.1145/3492321.3519573(317-333)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1145/3492321.3519573
Jin XXiao XJia SGao WGu DZhang HMa SQian ZLi J(2022)Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833650(650-665)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833650
Levatich MBrotzman RFlin BChen TKrishnan REdwards S(2022)C Program Partitioning with Fine-Grained Security Constraints and Post-Partition VerificationMILCOM 2022 - 2022 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM55135.2022.10017451(285-291)Online publication date: 28-Nov-2022
https://doi.org/10.1109/MILCOM55135.2022.10017451
Roessler NAtayde LPalmer IMcKee DPandey JKemerlis VPayer MBates ASmith JDeHon ADautenhahn NBilge LDumitras T(2021)μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software ArtifactsProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471839(296-311)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471839
Roessler NDeHon A(2021)SCALPEL: Exploring the Limits of Tag-enforced CompartmentalizationACM Journal on Emerging Technologies in Computing Systems10.1145/346167318:1(1-28)Online publication date: 29-Sep-2021
https://dl.acm.org/doi/10.1145/3461673
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents