How to automatically achieve privilege separation, or program partition, for as many partions as we need, and every partition has its least privilege?
How to find the number of partitions we actually need?
How to determine the bounds of each partition, and the least privilege of a partition?
How to define and restrict the communications between partitions?
Just as DSA using pointer analysis to automatically find the disjoint memory objects, and using the result to partition the memory into pools, could we also leverage pointer analysis to find some disjoint program modules with its own code and data, and use the result to automatically partition a program?
Kernel Drivers, see:
OpenSSL, see:
wget, see:
fetch, see:
OpenSSH, see:
Many used in automatic separtion More 2009 Eurosys: Isolating Web Programs in Modern Browser Architectures References: Reis, Charles, and Steven D. Gribble. “Isolating web programs in modern browser architectures.” In Proceedings of the 4th ACM European conference on Computer systems, pp. 219-232. 2009. More Preventing Privilege Escalation 2003 USENIX Security1: Privilege Escalation Services that require special privilege for their operation are critically sensitive.
More Capsicum CHERI Compartmentalization
Reference [^1] Userspace store/load on ARM. Arm Inst Iso Reference 1 Instruction-Level Data Isolation for the Kernel on ARM. DAC’17. ↩
Reference1 2 Interactions Reference: Overview of Intel SGX, part2 ECALL: Enclave Call. Application invokes a pre-defined function inside the enclave. can pass input parameters and pointers to shared memory within the application. OCALL: Outside Call. Enclave invokes a pre-defined function in the application. An OCALL cannot share enclave memory with the application; It must copy the parameters into the application memory before the OCALL; AEX: Asynchronous Exit.
Put malicious part (or security part) into a box, using pure software. Example: Process-based, or thread-based Isolation SFI and its variants Lang Sep References: reference More Fidelius Charm: Isolating Unsafe Rust Code Reference 1 Rust: memory safety is lost when any unsafe blocks are used. Fedelius Charm(FC): limiting access to the program’s memory while executing unsafe libraries: move sensitive program data to protected pages before entering unsafe code; call userspace lib e.
Intel SGX Hardware Capabilities Rings Reference 1 Lord X86 Reference 1 Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86. CCS, 2018. ↩ reference ↩ SSM Reference1 reference ↩ Trustzone See Architecture - ARM - TrustZone
Collection of works about compiler or formal methods assisted privilege separation. large scale analysis tools for privileges. More 2019 CCS: Program-mandering: Quantitative Privilege Separation References: Liu, Shen, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. “Program-mandering: Quantitative privilege separation.” In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1023-1040. 2019. Input: a) source code + user annoations on sensitive functions/globals; b) metircs budgets and the optimization goal.
References: reference More 2020 Sec Firefox Reference 1 Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan.RLBox: Retrofitting Fine Grain Isolation in the Firefox Renderer. In Proceedings of USENIX Security Symposium. August, 2020 ↩
References: reference More Reasoning About a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management Formalizing the Security Guarantees of Compartmentalizing Compilation
References: Dautenhahn, Nathan, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve. “Nested kernel: An operating system architecture for intra-kernel privilege separation.” In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 191-206. 2015. More
References: Tarkhani, Zahra, and Anil Madhavapeddy. “Sirius: Enabling System-Wide Isolation for Trusted Execution Environments.” arXiv preprint arXiv:2009.01869 (2020). More
References: Tarkhani, Zahra, and Anil Madhavapeddy. “$\mu $ Tiles: Efficient Intra-Process Privilege Enforcement of Memory Regions.” arXiv preprint arXiv:2004.04846 (2020). More
References: Park, Joongun, Naegyeong Kang, Taehoon Kim, Youngjin Kwon, and Jaehyuk Huh. “Nested enclave: supporting fine-grained hierarchical isolation with SGX.” In 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA), pp. 776-789. IEEE, 2020. More
References: Tsai, Chia-Che, Jeongseok Son, Bhushan Jain, John McAvey, Raluca Ada Popa, and Donald E. Porter. “Civet: An Efficient Java Partitioning Framework for Hardware Enclaves.” In 29th {USENIX} Security Symposium ({USENIX} Security 20). 2020. More
References: Schrammel, David, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. “Donky: Domain Keys–Efficient In-Process Isolation for RISC-V and x86.” In 29th {USENIX} Security Symposium ({USENIX} Security 20), pp. 1677-1694. 2020. Evaluation Three realistic use cases: Secure V8 Sandboxing; Software Vaults; Untrusted Third-party libraries; Two Implementations: RISC-V Ariane CPU, Synthesized on FPGA Intel-MPK-based emulation for X86 Cross-domain switches are 16-116x faster than regular process context switches.
References: Gong, Li. “A Secure Identity-Based Capability System.” In IEEE symposium on security and privacy, pp. 56-63. 1989. ICAP: An Identity-based CAPability protection system. More
References: Shekhar, Shashi, Michael Dietz, and Dan S. Wallach. “Adsplit: Separating smartphone advertising from applications.” In Presented as part of the 21st {USENIX} Security Symposium ({USENIX} Security 12), pp. 553-567. 2012. More
Reference 1 Hardware enforcement of application security policies using tagged memory. 2008, OSDI. ↩
Reference 1 Xoar: a modified version of Xen. Breaks the control VM into multiple single-purpose components called service VMs. Colp, Patrick, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Peter Loscocco, and Andrew Warfield. “Breaking up is hard to do: security and functionality in a commodity hypervisor.” In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 189-202. 2011. ↩
Reference 1 reference ↩
light-weight Context (lwC) A first-class OS abstraction that extends the POSIX API, and present common coding patterns demonstrating its different uses. A process may contain multiple lwCs, each with their own virtual memory mappings, file descriptor bindings, and credentials, and those can also be selectively shared. lwCs are not schedulable entities: they are completely orthogonal to threads that may execute within a process. A thread may start in lwC a, then invoke a system call to switch to lwC b.
Reference 1 J. Wang, X. Xiong, and P. Liu. Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications. In 2015 USENIX Annual Technical Conference (USENIX ATC 15), pages 361–373, Santa Clara, CA, July 2015. USENIX Association. ↩
Reference 1 R. Strackx, P. Agten, N. Avonds, and F. Piessens. Salus: Kernel Support for Secure Process Compartments. EAI Endorsed Transactions on Security and Safety, 15(3), 1 2015. ↩
Reference: A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI’08, pages 309–322, Berkeley, CA, USA, 2008. USENIX Association. Evaluation Apache/OpenSSL Introducing compartments to preserve the confidentiality and integrity of SSL connnections. protect the server’s RSA private key prevent one user from obtaining the cleartext sent over another user’s SSL connection or prevent one user from injecting content to another user’s SSL connection.
Questions How to determine and represent boundaries? Which level of the page is tagged? Virtual or Physical? ANS: virtual page is tagged with permissions. Memory protection domain is defined as a countigous range of virtual memory. How to design a secure call gate to cross boundaries? How many compartments in the benchmarks? Reference 1 3 generations of privilege separation 1st gen: split a process into different single-process compartments.
Reference 1 IoT devices are mostly single-purpose running a dedicated, single application. As a result, vulnerabilities in third party libraries within a process pose a much bigger threat than on traditional platforms. Pyronia: protects against untrusted third-party code with unmodified source code. Goals: control how an application may obtain data from files/devices; control how in-memory data is propagated within an application, specifically between lib and app; control to which remote network destinations an application may export data Design:
References: AdDroid: Privilege Separation for Applications and Advertisers in Android. By Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. AsiaCCS, 2012. Overview: Problem from Study: Overprivileging of ads: 49% of android apps contain at least one ad library; these libraries overprivilege 46% of ad-supported apps; 56% of apps with ads that request location (34% of all apps) only because of ads; Solution: a new ad framework, AdDroid, to apply privilege separation to advertising libraries:
Reference 1 Non-control data attacks: DOP. Lexical scope for every variable in C/C++: Statically checked at compile time but can be violated at runtime, leveraged by DOP. Solution: Run-time Scope Enforcement (RSE): fine-grained compartmentalization of data memory within programs. hardware assisted RSE scheme: a set of six new instructions; compiler instrumentation; creating runtime rules defining which code blocks can access which pieces of memory. rules as a stack; check on every load/store; check simultaneously with ?
Reference 1 MicroStache: A lightweight Execution Context for In-Process Safe Region Isolation. ↩
Vasilakis, Nikos, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M. Smith. “BreakApp: Automated, Flexible Application Compartmentalization.” In NDSS. 2018.
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?