Towards a Theory of Application Compartmentalisation

Application compartmentalisation decomposes software applications into sandboxed components, each delegated only the rights it requires to operate. Compartmentalisation is seeing increased deployment in vulnerability mitigation, motivated informally by appeal to the principle of least privilege. Drawing a comparison with capability systems, we consider how a distributed system interpretation supports an argument that compartmentalisation improves application security.

[1]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[2]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[3]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[4]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[5]  Kevin Elphinstone,et al.  Towards Proving Security in the Presence of Large Untrusted Components , 2010, SSV.

[6]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[7]  Jerome H. Saltzer,et al.  Protection and control of information sharing in multics , 1973, SOSP '73.

[8]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[9]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[10]  William A. Wulf,et al.  Policy/mechanism separation in Hydra , 1975, SOSP.

[11]  Robert Laddaga,et al.  Adaptive Security and Trust , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[12]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[13]  Peter G. Neumann,et al.  Principled assuredly trustworthy composable architectures , 2003 .

[14]  William R. Harris,et al.  Secure Programming as a Parity Game , 2011 .

[15]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[16]  Robert N. M. Watson,et al.  Exploring Compartmentalisation Hypotheses with SOAAP , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[17]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[18]  Peter G. Neumann,et al.  Security kernels , 1974, AFIPS '74.

[19]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[20]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[21]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[22]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[23]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[24]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.