Wedge: Splitting Applications into Reduced-Privilege Compartments

Software vulnerabilities and bugs persist, and so exploits continue to cause significant damage, particularly by divulging users' sensitive data to miscreants. Yet the vast majority of networked applications remain monolithically structured, in stark contravention of the ideal of least-privilege partitioning. Like others before us, we believe this state of affairs continues because today's operating systems offer isolation primitives that are cumbersome. We present Wedge, a system well suited to the splitting of complex, legacy, monolithic applications into fine-grained, least-privilege compartments. Wedge consists of two synergistic parts: OS primitives that create compartments with default-deny semantics, which force the programmer to make compartments' privileges explicit; and Crowbar, a pair of run-time analysis tools that assist the programmer in determining which code needs which privileges for which memory objects. By implementing the Wedge system atop Linux, and applying it to the SSL-enabled Apache web server and the OpenSSH login server, we demonstrate that Wedge allows fine-grained compartmentalization of applications to prevent the leakage of sensitive data, at acceptable performance cost. We further show that Wedge is powerful enough to prevent a subtle man-in-the-middle attack that succeeds on a more coarsely privilege-separated Apache web server.

[1]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[2]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[3]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[4]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[5]  Andrew C. Myers,et al.  Untrusted hosts and confidentiality , 2001, SOSP.

[6]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[7]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[8]  Maxwell N. Krohn,et al.  Building Secure High-Performance Web Services with OKWS , 2004, USENIX Annual Technical Conference, General Track.

[9]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[10]  T. J. Watson,et al.  Fuss , Futexes and Furwocks : Fast Userlevel Locking in Linux Hubertus Franke IBM , 2005 .

[11]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[12]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[13]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[14]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[15]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.