2019 CCS: Program-mandering: Quantitative Privilege Separation

References:

  • Liu, Shen, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. “Program-mandering: Quantitative privilege separation.” In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1023-1040. 2019.

Input: a) source code + user annoations on sensitive functions/globals; b) metircs budgets and the optimization goal.

Output: A set of functions and globals that should be included in the sensitive domain. The rest of the code stays in the insensitive domain.

Manual partition implementation.

Key techniques

Isolation mechanism: Process separation.

Evaluation

Benchmarks

  • telnet
    • a tool used to control a remote machine.
    • data from internet server(3)
    • isolate the component that processed untrusted data.
  • thttpd
    • an http server program
    • authentication file (1): .htpasswd
    • isolated domain to process .htpasswd on the server.
  • wget
    • data from internet servers(29):
    • isolated less secure domain to process the downloaded data from servers.
  • nginx
    • web server
    • authentication (1)
    • protect the server-side password file from being leaked.
  • Linux shadow utils, 30 small programs, such as:
    • chsh
    • sens. data: pwd file (1)
    • chage
    • sens. data: pwd file (1)
    • passwd
    • sens. data: pwd & shadow files (1)
    • useradd
    • sens. data: pwd & shadow files (4)

Questions

As stated in the paper, it cannot partition individual functions. But this can be useful:

  • split the main function manually as in telnet example.

More

Created Dec 4, 2020 // Last Updated Dec 19, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?