research-article

Open access

Towards Practical Application-level Support for Privilege Separation

Authors:

Digvijaysinh Chauhan,

Stephen Carrasquillo,

Nikos Vasilakis,

Boon Thau LooAuthors Info & Claims

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Pages 71 - 87

https://doi.org/10.1145/3564625.3564664

Published: 05 December 2022 Publication History

All formats PDF

Abstract

Privilege separation (privsep) is an effective technique for improving software’s security, but privsep involves decomposing software into components and assigning them different privileges. This is often laborious and error-prone. This paper contributes the following for applying privsep to C software: (1) a portable, lightweight, and distributed runtime library that abstracts externally-enforced compartment isolation; (2) an abstract compartmentalization model of software for reasoning about privsep; and (3) a privsep-aware Clang-based tool for code analysis and semi-automatic software transformation to use the runtime library. The evaluation spans 19 compartmentalizations of third-party software and examines: Security: 4 CVEs in widely-used software were rendered unexploitable; Approximate Effort Saving: on average, the synthesis-to-annotation code ratio was greater than 11.9 (i.e., 10 × lines of code were generated for each annotation); and Overhead: execution-time overhead was less than 2%, and memory overhead was linear in the number of compartments.

References

[1]

About FreeBSD Ports. https://www.freebsd.org/ports/.

[2]

Apache Thrift. https://thrift.apache.org/.

[3]

C serialization library. http://www.happyponyland.net/cserialization/readme.html.

[4]

Clang: a C language family frontend for LLVM. https://clang.llvm.org/.

[5]

CVE-2018-0492. https://nvd.nist.gov/vuln/detail/CVE-2018-0492.

[6]

CVE Details for ncurses. https://www.cvedetails.com/google-search-results.php?q=ncurses.

[7]

CVE Details for vitetris. https://www.cvedetails.com/google-search-results.php?q=vitetris.

[8]

Evince document viewer. https://wiki.gnome.org/Apps/Evince.

[9]

FlatBuffers. https://github.com/google/flatbuffers.

[10]

GhostScript CVEs. https://www.cvedetails.com/vulnerability-list.php?vendor_id=7640&product_id=0.

[11]

git CVE-2010-2542. https://www.cvedetails.com/cve/CVE-2010-2542/.

[12]

Holey Beep. https://holeybeep.ninja/.

[13]

ioquake3. https://ioquake3.org/.

[14]

libtiff CVEs. https://www.cvedetails.com/product/3881/Libtiff-Libtiff.html?vendor_id=2224.

[15]

Netpbm home page. http://netpbm.sourceforge.net/.

[16]

Protocol Buffers. https://developers.google.com/protocol-buffers/.

[17]

Revised OpenSSH Security Advisory. https://www.openssh.com/txt/preauth.adv.

[18]

seccomp API. https://github.com/torvalds/linux/blob/master/Documentation/userspace-api/seccomp_filter.rst.

[19]

Seccomp BPF (SECure COMPuting with filters). https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html.

[20]

SLOCCount. https://dwheeler.com/sloccount/.

[21]

spkr-beep project. https://github.com/spkr-beep/beep.

[22]

The Chromium Projects: Process Models. https://www.chromium.org/developers/design-documents/process-models.

[23]

TPL: easily store and retrieve binary data in C. http://troydhanson.github.io/tpl/.

[24]

VITETRIS - Virtual terminal *tris clone. https://github.com/vicgeralds/vitetris.

[25]

2020. Civet: An Efficient Java Partitioning Framework for Hardware Enclaves. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity20/presentation/tsai

[26]

Nicola Asuni and Andrea Giachetti. 2013. TESTIMAGES: A Large Data Archive For Display and Algorithm Testing. Journal of Graphics Tools 17, 4 (2013), 113–125. https://doi.org/10.1080/2165347X.2015.1024298 arXiv:https://doi.org/10.1080/2165347X.2015.1024298

[27]

Vaggelis Atlidakis, Jeremy Andrus, Roxana Geambasu, Dimitris Mitropoulos, and Jason Nieh. 2016. POSIX Abstractions in Modern Operating Systems: The Old, the New, and the Missing. In Proceedings of the Eleventh European Conference on Computer Systems(EuroSys ’16). Association for Computing Machinery, New York, NY, USA, Article 19, 17 pages. https://doi.org/10.1145/2901318.2901350

Digital Library

[28]

Nick Benton, Luca Cardelli, and Cédric Fournet. 2004. Modern Concurrency Abstractions for C#. ACM Trans. Program. Lang. Syst. 26, 5 (sep 2004), 769–804. https://doi.org/10.1145/1018203.1018205

Digital Library

[29]

Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM 53, 2 (feb 2010), 66–75. https://doi.org/10.1145/1646353.1646374

Digital Library

[30]

Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting Applications into Reduced-Privilege Compartments. In NSDI, Vol. 8. 309–322.

[31]

Ajay Brahmakshatriya, Piyus Kedia, Derrick P. McKee, Deepak Garg, Akash Lal, Aseem Rastogi, Hamed Nemati, Anmol Panda, and Pratik Bhatu. 2019. ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code. In Proceedings of the Fourteenth EuroSys Conference 2019(EuroSys ’19). Association for Computing Machinery, New York, NY, USA, Article 4, 15 pages. https://doi.org/10.1145/3302424.3303952

Digital Library

[32]

Peter Bright. 2016. Firefox takes the next step toward rolling out multi-process to everyone. (Dec 2016).

[33]

David Brumley and Dawn Song. 2004. Privtrans: Automatically partitioning programs for privilege separation. In USENIX Security Symposium. 57–72.

[34]

David R Butenhof. 1997. Programming with POSIX threads. Addison-Wesley Professional.

Digital Library

[35]

Scott A. Carr and Mathias Payer. 2017. DataShield: Configurable Data Confidentiality and Integrity. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security(ASIA CCS ’17). Association for Computing Machinery, New York, NY, USA, 193–204. https://doi.org/10.1145/3052973.3052983

Digital Library

[36]

Brian Caswell, James C. Foster, Ryan Russell, Jay Beale, and Jeffrey Posluns. 2003. Snort 2.0 Intrusion Detection. Syngress Publishing.

[37]

Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2013. Security bugs in embedded interpreters. In Proceedings of the 4th Asia-Pacific Workshop on Systems - APSys'13. ACM Press. https://doi.org/10.1145/2500727.2500747

Digital Library

[38]

Jeffrey Dean and Sanjay Ghemawat. 2008. MapReduce: Simplified Data Processing on Large Clusters. Commun. ACM 51, 1 (jan 2008), 107–113. https://doi.org/10.1145/1327452.1327492

Digital Library

[39]

Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. 2008. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. SIGOPS Oper. Syst. Rev. 42, 2 (March 2008), 103–114. https://doi.org/10.1145/1353535.1346295

Digital Library

[40]

Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 443–458. https://www.usenix.org/conference/raid2020/presentation/ghavanmnia

[41]

Dan Goodin. 2019. The year-long rash of supply chain attacks against open source is getting worse. (Aug 2019).

[42]

Khilan Gudka, Robert N.M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, and Alex Richardson. 2015. Clean Application Compartmentalization with SOAAP. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security(CCS ’15). ACM, New York, NY, USA, 1016–1031. https://doi.org/10.1145/2810103.2813611

Digital Library

[43]

C. A. R. Hoare. 1978. Communicating Sequential Processes. Commun. ACM 21, 8 (aug 1978), 666–677. https://doi.org/10.1145/359576.359585

Digital Library

[44]

Douglas Kilpatrick. 2003. Privman: A Library for Partitioning Applications. In USENIX Annual Technical Conference, FREENIX Track. 273–284.

[45]

Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization(CGO ’04). IEEE Computer Society, Washington, DC, USA, 75–. http://dl.acm.org/citation.cfm?id=977395.977673

[46]

Michael Lee. 2012. Google strengthens Chrome for Android with sandbox. (Sep 2012).

[47]

E. Levy. 2003. Poisoning the software supply chain. IEEE Security Privacy 1, 3 (May 2003), 70–73. https://doi.org/10.1109/MSECP.2003.1203227

Digital Library

[48]

Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A Measurement Study on Linux Container Security: Attacks and Countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference(ACSAC ’18). Association for Computing Machinery, New York, NY, USA, 418–429. https://doi.org/10.1145/3274694.3274720

Digital Library

[49]

Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O’Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter Pietzuch. 2017. Glamdring: Automatic Application Partitioning for Intel SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 285–298. https://www.usenix.org/conference/atc17/technical-sessions/presentation/lind

[50]

Shen Liu, Gang Tan, and Trent Jaeger. 2017. PtrSplit: Supporting General Pointers in Automatic Program Partitioning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security(CCS ’17). ACM, New York, NY, USA, 2359–2371. https://doi.org/10.1145/3133956.3134066

Digital Library

[51]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. SIGPLAN Not. 44, 6 (June 2009), 245–258. https://doi.org/10.1145/1543135.1542504

Digital Library

[52]

N. Nguyen, P. Reiher, and G. H. Kuenning. 2003. Detecting insider threats by monitoring system call activity. In IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003.45–52. https://doi.org/10.1109/SMCSIA.2003.1232400

[53]

Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-time. Comput. Netw. 31, 23-24 (Dec. 1999), 2435–2463. https://doi.org/10.1016/S1389-1286(99)00112-7

Digital Library

[54]

Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12(SSYM’03). USENIX Association, Berkeley, CA, USA, 16–16. http://dl.acm.org/citation.cfm?id=1251353.1251369

[55]

Reiner Sailer, Trent Jaeger, Xiaolan Zhang, and Leendert van Doorn. 2004. Attestation-based Policy Enforcement for Remote Access. In Proceedings of the 11th ACM Conference on Computer and Communications Security(CCS ’04). ACM, New York, NY, USA, 308–317. https://doi.org/10.1145/1030083.1030125

Digital Library

[56]

Jerome H Saltzer and Michael D Schroeder. 1975. The Protection of Information in Computer Systems. Proc. IEEE 63, 9 (1975), 1278–1308.

[57]

Nik Sultana, Achala Rao, Zihao Jin, Pardis Pashakhanloo, Henry Zhu, Ke Zhong, and Boon Thau Loo. 2018. Making Break-Ups Less Painful: Source-Level Support for Transforming Legacy Software into a Network of Tasks. In Proceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation(FEAST ’18). Association for Computing Machinery, New York, NY, USA, 14–19. https://doi.org/10.1145/3273045.3273046

Digital Library

[58]

Michael Vollmer, Chaitanya Koparkar, Mike Rainey, Laith Sakka, Milind Kulkarni, and Ryan R. Newton. 2019. LoCal: A Language for Programs Operating on Serialized Data. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI 2019). Association for Computing Machinery, New York, NY, USA, 48–62. https://doi.org/10.1145/3314221.3314631

Digital Library

[59]

Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: Practical Capabilities for UNIX. In Proceedings of the 19th USENIX Conference on Security(USENIX Security’10). USENIX Association, Berkeley, CA, USA, 3–3. http://dl.acm.org/citation.cfm?id=1929820.1929824

[60]

Jinpeng Wei and Calton Pu. 2010. Modeling and Preventing TOCTTOU Vulnerabilities in Unix-style File Systems. Comput. Secur. 29, 8 (Nov. 2010), 815–830. https://doi.org/10.1016/j.cose.2010.09.004

Digital Library

[61]

Elizabeth Wyss, Alexander Wittman, Drew Davidson, and Lorenzo De Carli. 2022. Wolf at the Door: Preventing Install-Time Attacks in Npm with Latch. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security(ASIA CCS ’22). Association for Computing Machinery, New York, NY, USA, 1139–1153. https://doi.org/10.1145/3488932.3523262

Digital Library

[62]

Henry Zhu, Nik Sultana, and Boon Thau Loo. 2020. Debugging strongly-compartmentalized distributed systems. In 2020 IEEE International Parallel and Distributed Processing Symposium Workshops, IPDPSW 2020, New Orleans, LA, USA, May 18-22, 2020. IEEE, 538–547. https://doi.org/10.1109/IPDPSW50202.2020.00096

Cited By

Zhu HZhao JSultana N(2023)A Domain-Specific Language for Reconfigurable, Distributed Software Architecture2023 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW59300.2023.00063(335-344)Online publication date: May-2023
https://doi.org/10.1109/IPDPSW59300.2023.00063

Index Terms

Towards Practical Application-level Support for Privilege Separation
1. Security and privacy
  1. Software and application security
  2. Systems security
    1. Operating systems security
2. Software and its engineering

Index terms have been assigned to the content through auto-classification.

Recommendations

Towards architecture-level middleware-enabled exception handling of component-based systems
CBSE '11: Proceedings of the 14th international ACM Sigsoft symposium on Component based software engineering

Exception handling is a practical and important way to improve the availability and reliability of a component-based system. The classical code-level exception handling approach is usually applied to the inside of a component, while some exceptions can ...
Virtualization-based separation of privilege: working with sensitive data in untrusted environment
VDTS '09: Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems

Contemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to the vast amount of legacy software and good support for virtually all hardware ...
Extended privilege inheritance in RBAC
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security

In existing RBAC literature, administrative privileges are inherited just like ordinary user privileges. We argue that from a security viewpoint this is too restrictive, and we believe that a more flexible approach can be very useful in practice. We ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

December 2022

1021 pages

ISBN:9781450397599

DOI:10.1145/3564625

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Defense Advanced Research Projects Agency
Google Research Award

Conference

ACSAC

ACSAC: Annual Computer Security Applications Conference

December 5 - 9, 2022

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
615
Total Downloads

Downloads (Last 12 months)331
Downloads (Last 6 weeks)38

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhu HZhao JSultana N(2023)A Domain-Specific Language for Reconfigurable, Distributed Software Architecture2023 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW59300.2023.00063(335-344)Online publication date: May-2023
https://doi.org/10.1109/IPDPSW59300.2023.00063

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents