'Smart' Privilege Separation

Collection of works about

  • compiler or formal methods assisted privilege separation.
  • large scale analysis tools for privileges.

More

  • 2019 CCS: Program-mandering: Quantitative Privilege Separation

    • References: Liu, Shen, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. “Program-mandering: Quantitative privilege separation.” In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1023-1040. 2019. Input: a) source code + user annoations on sensitive functions/globals; b) metircs budgets and the optimization goal. Output: A set of functions and globals that should be included in the sensitive domain.

  • 2015 SOAAP

    • Security-Oriented Analysis of Application Programs (SOAAP)[^c1]. LLVM-based tool; uses source code annotations for compartmentalization hypotheses. Able to help with: creating new compartmentalizations for complex applications; discover design faults in existing compartmentalized applications. Challenges Reasoning about the compartmentalization tradeoffs is difficult: Information about past vulnerabilities is not easily accessible; Call graphs of compartmentalized applications are extremely complex; Simple control-flow analysis cannot follow manually encoded cross-domain actions – such as those via IPC; reasoning about information flow; failures caused by compartmentalization are hard to debug and testing; performance impacts are difficult to predict and control.

  • PrivAnalyzer: Measuring the Efficacy of Linux Privilege Use

    • Reference: 2019 PrivAnalyzer1 PrivAnalyzer: Measuring the Efficacy of Linux Privilege Use. DSN, 2019 ↩

  • Secure web applications via automatic partitioning

    • Reference: Secure web @ 2007SOSP1. Secure web applications via automatic partitioning. SOSP, 2007. ↩

  • Privtrans: Automatically Partitioning Programs for Privilege Separation

    • References: Privtrans @ 2004SP1; Privilege separation in OpenSSH2; Partition a single program into two parts: a monitor, relegated all trust an privileges; a small TCB; a slave. Q & A What kind of static analysis techniques are used? LLM: user annotation for privileged variables and functions; then inter-procedural static analysis to propagate attributes; “meet-over-all-path” data-flow analysis to find proper place to insert calls to the monitor.

Created Dec 19, 2020 // Last Updated Dec 19, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?