Clean Application Compartmentalization with SOAAP

Application compartmentalization, a vulnerability mitigation technique employed in programs such as OpenSSH and the Chromium web browser, decomposes software into isolated components to limit privileges leaked or otherwise available to attackers. However, compartmentalizing applications -- and maintaining that compartmentalization -- is hindered by ad hoc methodologies and significantly increased programming effort. In practice, programmers stumble through (rather than overtly reason about) compartmentalization spaces of possible decompositions, unknowingly trading off correctness, security, complexity, and performance. We present a new conceptual framework embodied in an LLVM-based tool: the Security-Oriented Analysis of Application Programs (SOAAP) that allows programmers to reason about compartmentalization using source-code annotations (compartmentalization hypotheses). We demonstrate considerable benefit when creating new compartmentalizations for complex applications, and analyze existing compartmentalized applications to discover design faults and maintenance issues arising from application evolution.

[1]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[2]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[3]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[4]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[5]  Robert N. M. Watson,et al.  A decade of OS access-control extensibility , 2013, CACM.

[6]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[7]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[8]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[9]  David A. Wagner,et al.  A Security Analysis of the Combex DarpaBrowser Architecture , 2002 .

[10]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[11]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  Mike Bond,et al.  Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[13]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[14]  William R. Harris,et al.  Secure Programming as a Parity Game , 2011 .

[15]  Peter G. Neumann,et al.  Clean application compartmentalization with SOAAP (extended version) , 2015 .

[16]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[17]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[18]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[19]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[20]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[21]  Graham Hamilton,et al.  The Spring Nucleus: A Microkernel for Objects , 1993 .

[22]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[23]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[24]  Steven Hand,et al.  Privilege separation made easy: trusting small libraries not big processes , 2008, EUROSEC '08.

[25]  William A. Wulf,et al.  Policy/mechanism separation in Hydra , 1975, SOSP.

[26]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[27]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[28]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[29]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[30]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[31]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[32]  Peter G. Neumann,et al.  Security kernels , 1974, AFIPS '74.