More Web Proxy on the site http://driver.im/

research-article

Enforcing user-space privilege separation with declarative architectures

Authors:

Gang TanAuthors Info & Claims

STC '12: Proceedings of the seventh ACM workshop on Scalable trusted computing

Pages 9 - 20

https://doi.org/10.1145/2382536.2382541

Published: 15 October 2012 Publication History

Abstract

Applying privilege separation in software development is an effective strategy for limiting the damage of an attack on a software system. In this approach, a software system is separated into a set of communicating protection domains of least privilege. In a privilege-separated system, even if one protection domain is hijacked by an attacker, the rest of the system may still function.

uPro is a tool that provides efficient and flexible enforcement of privilege separation. It adopts software-based fault isolation to implement protection domains in the user-space so that inter-domain communication is efficient. It provides a declarative language to describe an application's security architecture, facilitating developers to identify different architecture alternatives. The evaluation shows that real applications can be ported to uPro with enhanced security, acceptable performance, and declarative architectures.

References

[1]

http://web.nvd.nist.gov/view/vuln/search. {Online; accessed on 17-April-2012}.

[2]

http://httpd.apache.org/security/vulnerabilities_22.html. {Online; accessed on 13-April-2012}.

[3]

Apparmor. http://wiki.apparmor.net.

[4]

external data representation. http://tools.ietf.org/html/rfc4506.

[5]

Mig - the mach interface generator. http://www.cs.cmu.edu/afs/cs/project/mach/public/www/doc/abstracts/mig.html.

[6]

Selinux. http://selinuxproject.org.

[7]

Abadi, M., Budiu, M., Erlingsson, Ú, and Ligatti, J. Control-flow integrity. In 12th ACM Conference on Computer and Communications Security (CCS) (2005), pp. 340--353.

Digital Library

[8]

Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. Preventing memory error exploits with wit. In IEEE Symposium on Security and Privacy (S&P) (2008), pp. 263--277.

Digital Library

[9]

Akritidis, P., Costa, M., Castro, M., and Hand, S. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In 18th Usenix Security Symposium (2009), pp. 51--66.

Digital Library

[10]

Ansel, J., Marchenko, P., Erlingsson, Ú, Taylor, E., Chen, B., Schuff, D., Sehr, D., Biffle, C., and Yee, B. Language-independent sandboxing of just-in-time compilation and self-modifying code. In ACM Conference on Programming Language Design and Implementation (PLDI) (2011), pp. 355--366.

Digital Library

[11]

Barth, A., Jackson, C., Reis, C., and Chrome, G. The security architecture of the Chromium browser. Tech. rep., 2008.

[12]

Bittau, A., Marchenko, P., Handley, M., and Karp, B. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (2008), pp. 309--322.

Digital Library

[13]

Castro, M., Costa, M., Martin, J.-P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., and Black, R. Fast byte-granularity software fault isolation. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2009), pp. 45--58.

Digital Library

[14]

Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X. Automatic construction of jump-oriented programming shellcode (on the x86). In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (New York, NY, USA, 2011), ASIACCS '11, ACM, pp. 20--29.

Digital Library

[15]

Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. A safety-oriented platform for web applications. In IEEE Symposium on Security and Privacy (S&P) (2006), pp. 350--364.

Digital Library

[16]

Efstathopoulos, P., Krohn, M., Vandebogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, M. F., and Morris, R. Labels and event processes in the Asbestos operating system. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2005), pp. 17--30.

Digital Library

[17]

Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., and Necula, G. XFI: Software guards for system address spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006), pp. 75--88.

Digital Library

[18]

Erlingsson, Ú., and Schneider, F. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop (NSPW) (1999), ACM Press, pp. 87--95.

Digital Library

[19]

Ford, B., and Cox, R. Vx32: Lightweight user-level sandboxing on the x86. In USENIX Annual Technical Conference (2008), pp. 293--306.

Digital Library

[20]

Garfinkel, T. Traps and pitfalls: Practical problems in system call interposition based security tools. In NDSS (2003).

[21]

Garlan, D., Monroe, R., and Wile, D. Acme: Architectural description of component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman, Eds. Cambridge University Press, 2000, pp. 47--68.

Digital Library

[22]

Google. The Chromium projects: Process models. http://www.chromium.org/developers/design-documents/process-models, 2008.

[23]

Kiriansky, V., Bruening, D., and Amarasinghe, S. Secure execution via program shepherding. In 11th Usenix Security Symposium (2002), pp. 191--206.

Digital Library

[24]

Krishnamurthy, A., Mettler, A., and Wagner, D. Fine-grained privilege separation for web applications. In Proceedings of the 19th International Conference on World Wide Web (WWW '10) (2010), pp. 551--560.

Digital Library

[25]

Krohn, M., Efstathopoulos, P., Frey, C., Kaashoek, M. F., Kohler, E., Mazières, D., Morris, R., Osborne, M., Vandebogart, S., and Ziegler, D. Make least privilege a right (not a privilege). In Proceedings of the 10th Conference on Hot Topics in Operating Systems (HotOS) (2005).

Digital Library

[26]

Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. Information flow control for standard OS abstractions. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2007), pp. 321--334.

Digital Library

[27]

McCamant, S., and Morrisett, G. Evaluating SFI for a CISC architecture. In 15th Usenix Security Symposium (2006).

Digital Library

[28]

Medvidovic, N., and Taylor, R. A classification and comparison framework for software architecture description languages. IEEE Transactions on Software Engineering 26, 1 (2000), 70--93.

Digital Library

[29]

Mettler, A., Wagner, D., and Close, T. Joe-E: A security-oriented subset of Java. In Network and Distributed Systems Symposium (NDSS) (2010).

[30]

Miller, M. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, 2006.

Digital Library

[31]

Morrisett, G., Walker, D., Crary, K., and Glew, N. From System F to typed assembly language. ACM Transactions on Programming Languages and Systems 21, 3 (May 1999), 527--568.

Digital Library

[32]

Myers, A., and Liskov, B. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering Methodology 9 (Oct. 2000), 410--442.

Digital Library

[33]

Neumann, P., and Watson, R. Capabilities revisited: A holistic approach to bottom-to-top assurance of trustworthy systems. In Fourth Layered Assurance Workshop (2010).

[34]

Payer, M., and Gross, T. R. Fine-grained user-space security through virtualization. In Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (VEE) (2011), pp. 157--168.

Digital Library

[35]

Provos, N., Friedl, M., and Honeyman, P. Preventing privilege escalation. In 12th Usenix Security Symposium (2003), pp. 231--242.

Digital Library

[36]

Reis, C., and Gribble, S. D. Isolating web programs in modern browser architectures. In EuroSys (2009), pp. 219--232.

Digital Library

[37]

Rushby, J. Design and verification of secure systems. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (1981), pp. 12--21.

Digital Library

[38]

Rushby, J. Proof of separability: A verification technique for a class of a security kernels. In Symposium on Programming (1982), pp. 352--367.

Digital Library

[39]

Saltzer, J., and Schroeder, M. The protection of information in computer systems. Proceedings of The IEEE 63, 9 (Sept. 1975), 1278--1308.

[40]

Scott, K., and Davidson, J. Safe virtual execution using software dynamic translation. In Proceedings of the 18th Annual Computer Security Applications Conference (2002), ACSAC '02, pp. 209--218.

Digital Library

[41]

Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. Adapting software fault isolation to contemporary CPU architectures. In 19th Usenix Security Symposium (2010), pp. 1--12.

Digital Library

[42]

Small, C. A tool for constructing safe extensible C++ systems. In COOTS'97: Proceedings of the 3rd conference on USENIX Conference on Object-Oriented Technologies (COOTS) (1997), pp. 174--184.

Digital Library

[43]

Wahbe, R., Lucco, S., Anderson, T., and Graham, S. Efficient software-based fault isolation. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (New York, 1993), ACM Press, pp. 203--216.

Digital Library

[44]

Wallach, D. S., and Felten, E. W. Understanding java stack inspection. In IEEE Symposium on Security and Privacy (1998), pp. 52--63.

[45]

Watson, R., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: Practical capabilities for UNIX. In 19th Usenix Security Symposium (2010), pp. 29--46.

Digital Library

[46]

Witchel, E., Rhee, J., and Asanović, K. Mondrix: memory isolation for linux using Mondriaan memory protection. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP) (2005), pp. 31--44.

Digital Library

[47]

Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy (S&P) (May 2009).

Digital Library

[48]

Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A. Secure program partitioning. ACM Transactions on Compututer Systems (TOCS) 20, 3 (2002), 283--328.

Digital Library

[49]

Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazières, D. Making information flow explicit in HiStar. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006), pp. 263--278.

Digital Library

[50]

Zheng, L., Chong, S., Myers, A., and Zdancewic, S. Using replication and partitioning to build secure distributed systems. In IEEE Symposium on Security and Privacy (S&P) (2003), pp. 236--250.

Digital Library

Cited By

Liang KTan JZeng DHuang YHuang XTan G(2023)ABSLearn: a GNN-based framework for aliasing and buffer-size information retrievalPattern Analysis and Applications10.1007/s10044-023-01142-226:3(1171-1189)Online publication date: 19-Feb-2023
https://doi.org/10.1007/s10044-023-01142-2
Bauer MRossow CCao JHo Au MLin ZYung M(2021)Cali: Compiler-Assisted Library IsolationProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453111(550-564)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453111
Krude JMeyer UJuels AParno B(2013)A versatile code execution isolation framework with security firstProceedings of the 2013 ACM workshop on Cloud computing security workshop10.1145/2517488.2517499(1-10)Online publication date: 8-Nov-2013
https://dl.acm.org/doi/10.1145/2517488.2517499
Show More Cited By

Index Terms

Enforcing user-space privilege separation with declarative architectures
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution
Computer Security – ESORICS 2019
Abstract
With the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the ...
Enforcing Least Privilege Memory Views for Multithreaded Applications
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface ...
Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes
Abstract
Cyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

STC '12: Proceedings of the seventh ACM workshop on Scalable trusted computing

October 2012

98 pages

ISBN:9781450316620

DOI:10.1145/2382536

Conference Chair:
Shouhuai Xu
University of Texas, San Antonio, USA
,
General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
Xinwen Zhang
Huawei Research Center, USA
,
Xuhua Ding
Singapore Management University, Singapore

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 15, 2012

North Carolina, Raleigh, USA

Acceptance Rates

STC '12 Paper Acceptance Rate 8 of 14 submissions, 57%;

Overall Acceptance Rate 17 of 31 submissions, 55%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
181
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liang KTan JZeng DHuang YHuang XTan G(2023)ABSLearn: a GNN-based framework for aliasing and buffer-size information retrievalPattern Analysis and Applications10.1007/s10044-023-01142-226:3(1171-1189)Online publication date: 19-Feb-2023
https://doi.org/10.1007/s10044-023-01142-2
Bauer MRossow CCao JHo Au MLin ZYung M(2021)Cali: Compiler-Assisted Library IsolationProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453111(550-564)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453111
Krude JMeyer UJuels AParno B(2013)A versatile code execution isolation framework with security firstProceedings of the 2013 ACM workshop on Cloud computing security workshop10.1145/2517488.2517499(1-10)Online publication date: 8-Nov-2013
https://dl.acm.org/doi/10.1145/2517488.2517499
Niu BTan GChen KXie QQiu WLi NTzeng W(2013)Efficient user-space information flow controlProceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security10.1145/2484313.2484328(131-142)Online publication date: 8-May-2013
https://dl.acm.org/doi/10.1145/2484313.2484328
Vijayakumar HSchiffman JJaeger THanzálek ZHärtig HCastro MKaashoek M(2013)Process firewallsProceedings of the 8th ACM European Conference on Computer Systems10.1145/2465351.2465358(57-70)Online publication date: 15-Apr-2013
https://dl.acm.org/doi/10.1145/2465351.2465358

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents