More Web Proxy on the site http://driver.im/

Article

Make least privilege a right (not a privilege)

Authors:

Petros Efstathopoulos,

Frans Kaashoek,

David Mazières,

Michelle Osborne,

Steve VanDeBogart,

David ZieglerAuthors Info & Claims

HOTOS'05: Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10

Page 21

Published: 12 June 2005 Publication History

Abstract

Though system security would benefit if programmers routinely followed the principle of least privilege [24], the interfaces exposed by operating systems often stand in the way. We investigate why modern OSes thwart secure programming practices and propose solutions.

References

[1]

{1} The Apache Software Foundation. Apache. http://www.apache.org.]]

[2]

{2} D. J. Bernstein. qmail. http://cr.yp.to/qmail.html.]]

[3]

{3} Internet Systems Consortium. Berkeley Internet Name Daemon. http://www.isc.org/sw/bind.]]

[4]

{4} A. C. Bomberger, W. S. Frantz, A. C. Hardy, N. Hardy, C. R. Landau, and J. S. Shapiro. The KeyKOS nanokernel architecture. In USENIX Workshop on Microkernels and Other Kernel Architectures. USENIX, 1992.]]

Digital Library

[5]

{5} D. Brumley and D. X. Song. Privtrans: Automatically partitioning programs for privilege separation. In USENIX Security Symposium, pages 57-72. USENIX, 2004.]]

Digital Library

[6]

{6} T. Fine and S. E. Minear. Assuring distributed trusted mach. In Proceedings of the 1993 IEEE Symposium on Security and Privacy, page 206, Washington, DC, USA, 1993. IEEE Computer Society.]]

Digital Library

[7]

{7} I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th Usenix Security Symposium, San Jose, CA, USA, 1996.]]

Digital Library

[8]

{8} G. C. Hunt and J. R. Larus. Singulairty design motivation. Technical Report MSR-TR-2004-105, Microsoft Corporation, Dec. 2004.]]

[9]

{9} H. Inoue and S. Forrest. Anomaly intrusion detection in dynamic execution environments. In NSPW '02: Proceedings of the 2002 workshop on New security paradigms, pages 52-60. ACM Press, 2002.]]

Digital Library

[10]

{10} M. Kaminsky, E. Peterson, D. B. Giffin, K. Fu, D. Mazières, and M. F. Kaashoek. REX: Secure, extensible remote execution. In Proceedings of the 2004 USENIX, pages 199-212, Boston, MA, June-July 2004. USENIX.]]

Digital Library

[11]

{11} P. Karger, M. Zurko, D. Bonin, A. Mason, and C. Kahn. A retrospective on the VAX VMM security kernel. Transactions on Software Engineering, 17(11):1147-1165, 1991.]]

Digital Library

[12]

{12} M. Krohn. Building secure high-performance web services with OKWS. In Proceedings of the 2004 USENIX, Boston, MA, June-July 2004. USENIX.]]

Digital Library

[13]

{13} H. Levy. Capability-based Computer Systems. Digital Press, 1984.]]

Digital Library

[14]

{14} J. Liedtke. Toward real microkernels. Communications of the ACM, 39(9):70-77, 1996.]]

Digital Library

[15]

{15} P. Loscocco and S. Smalley. Meeting critical security objectives with security-enhanced linux. In Proceedings of Ottawa Linux Symposium 2001, June 2001.]]

[16]

{16} D. Mazières. A toolkit for user-level file systems. In Proceedings of the 2001 USENIX, pages 261-274. USENIX, June 2001.]]

Digital Library

[17]

{17} A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 129-142, Saint-Malo, France, October 1997. ACM.]]

Digital Library

[18]

{18} PHP: Hypertext processor. http://www.php.net.]]

[19]

{19} R. Pike, D. Presotto, S. Dorward, B. Flandrena, K. Thompson, H. Trickey, and P. Winterbottom. Plan 9 from Bell Labs. Computing Systems, 8(3):221-254, Summer 1995.]]

[20]

{20} R. Pike, D. Presotto, K. Thompson, H. Trickey, and P. Winterbottom. The use of name spaces in Plan 9. In Proceedings of the 5th ACM SIGOPS Workshop, Mont Saint-Michel, 1992.]]

Digital Library

[21]

{21} Postfix. http://www.postfix.org.]]

[22]

{22} N. Provos. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium, pages 257-271, Washington, DC, August 2003.]]

Digital Library

[23]

{23} N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In 12th USENIX Security Symposium, Washington, D.C., August 2003.]]

Digital Library

[24]

{24} J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, Sept. 1975.]]

[25]

{25} R. Sandberg, D. Goldberg, S. Kleiman, D. Walsh, and B. Lyon. Design and implementation of the Sun network filesystem. In Proceedings of the Summer 1985 USENIX, pages 119-130, Portland, OR, 1985. USENIX.]]

[26]

{26} The Sendmail Consortium. Sendmail. http://www.sendmail.org.]]

[27]

{27} J. S. Shapiro, M. S. Doerrie, E. Northup, S. Sridhar, and M. Miller. Towards a verified, general-purpose operating system kernel. In G. Klein, editor, Proc. NICTA Formal Methods Workshop on Operating Systems Verification, Sydney, Australia, 2004. NICTA Technical Report 0401005T-1, National ICT Australia.]]

[28]

{28} J. S. Shapiro, J. Smith, and D. J. Farber. EROS: a fast capability system. In Proc. Symposium on Operating Systems Principles, pages 170-185, 1999.]]

Digital Library

[29]

{29} R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The flask security architecture: System support for diverse security policies. In Proceedings of the Eighth USENIX Security Symposium, August 1999.]]

Digital Library

[30]

{30} M. Stiegler, A. H. Karp, K.-P. Yee, and M. Miller. Polaris: Virus safe computing for windows XP. Technical Report HPL-2004-221, December 2004.]]

[31]

{31} R. N. M. Watson. TrustedBSD: Adding trusted operating system features to FreeBSD. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 15-28. USENIX Association, 2001.]]

Digital Library

[32]

{32} A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), Dec. 2002.]]

Digital Library

[33]

{33} M. V. Wilkes and R. M. Needham. The Cambidge CAP Computer and its Operating System. North Holland, 1979.]]

Digital Library

Cited By

Rastogi VNiddodi CMohan SJha SKim TWang CKim TWu D(2017)New Directions for Container DebloatingProceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3141235.3141241(51-56)Online publication date: 3-Nov-2017
https://dl.acm.org/doi/10.1145/3141235.3141241
Rastogi VDavidson DDe Carli LJha SMcDaniel PBodden ESchäfer WDeursen AZisman A(2017)Cimplifier: automatically debloating containersProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3106271(476-486)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3106271
Moore SDimoulas CKing DChong SFlinn JLevy H(2014)SHILLProceedings of the 11th USENIX conference on Operating Systems Design and Implementation10.5555/2685048.2685063(183-199)Online publication date: 6-Oct-2014
https://dl.acm.org/doi/10.5555/2685048.2685063
Show More Cited By

Index Terms

Make least privilege a right (not a privilege)
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

Mining least privilege attribute based access control policies
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Creating effective access control policies is a significant challenge to many organizations. Over-privilege increases security risk from compromised credentials, insider threats, and accidental misuse. Under-privilege prevents users from performing ...
Inter-domain role mapping and least privilege
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

The principle of least privilege is a well known design principle to which access control models and systems should adhere. In the context of role-based access control, the principle of least privilege can be implemented through the use of sessions. In ...
Specifying and enforcing the principle of least privilege in role-based access control

The principle of least privilege in role-based access control is an important area of research. There are two crucial issues related to it: the specification and the enforcement. We believe that the existing least privilege specification schemes are not ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

HOTOS'05: Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10

June 2005

154 pages

Sponsors

IEEE Technical Committee on Operating Systems (TCOS)
USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 12 June 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
23
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rastogi VNiddodi CMohan SJha SKim TWang CKim TWu D(2017)New Directions for Container DebloatingProceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3141235.3141241(51-56)Online publication date: 3-Nov-2017
https://dl.acm.org/doi/10.1145/3141235.3141241
Rastogi VDavidson DDe Carli LJha SMcDaniel PBodden ESchäfer WDeursen AZisman A(2017)Cimplifier: automatically debloating containersProceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering10.1145/3106237.3106271(476-486)Online publication date: 21-Aug-2017
https://dl.acm.org/doi/10.1145/3106237.3106271
Moore SDimoulas CKing DChong SFlinn JLevy H(2014)SHILLProceedings of the 11th USENIX conference on Operating Systems Design and Implementation10.5555/2685048.2685063(183-199)Online publication date: 6-Oct-2014
https://dl.acm.org/doi/10.5555/2685048.2685063
Niu BTan GXu SYu TZhang XDing X(2012)Enforcing user-space privilege separation with declarative architecturesProceedings of the seventh ACM workshop on Scalable trusted computing10.1145/2382536.2382541(9-20)Online publication date: 15-Oct-2012
https://dl.acm.org/doi/10.1145/2382536.2382541
Zhang FChen JChen HZang BWobber TDruschel P(2011)CloudVisorProceedings of the Twenty-Third ACM Symposium on Operating Systems Principles10.1145/2043556.2043576(203-216)Online publication date: 23-Oct-2011
https://dl.acm.org/doi/10.1145/2043556.2043576
Zeldovich NBoyd-Wickizer SKohler EMazières D(2011)Making information flow explicit in HiStarCommunications of the ACM10.1145/2018396.201841954:11(93-101)Online publication date: 1-Nov-2011
https://dl.acm.org/doi/10.1145/2018396.2018419
Wilbur PDeshane TMoskowitz AForsgren NBabaian TBeznosov K(2010)Johnny can drag and dropProceedings of the 4th Symposium on Computer Human Interaction for the Management of Information Technology10.1145/1873561.1873565(1-8)Online publication date: 12-Nov-2010
https://dl.acm.org/doi/10.1145/1873561.1873565
Dalton MKozyrakis CZeldovich N(2009)NemesisProceedings of the 18th conference on USENIX security symposium10.5555/1855768.1855785(267-282)Online publication date: 10-Aug-2009
https://dl.acm.org/doi/10.5555/1855768.1855785
Bittau AMarchenko PHandley MKarp B(2008)WedgeProceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation10.5555/1387589.1387611(309-322)Online publication date: 16-Apr-2008
https://dl.acm.org/doi/10.5555/1387589.1387611
Spanoudakis GNitto EPolini AZisman A(2007)Dynamic trust assessment of software services2nd international workshop on Service oriented software engineering: in conjunction with the 6th ESEC/FSE joint meeting10.1145/1294928.1294937(36-40)Online publication date: 3-Sep-2007
https://dl.acm.org/doi/10.1145/1294928.1294937
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents