Make Least Privilege a Right (Not a Privilege)

Though system security would benefit if programmers routinely followed the principle of least privilege [24], the interfaces exposed by operating systems often stand in the way. We investigate why modern OSes thwart secure programming practices and propose solutions.

[1]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[2]  Maxwell N. Krohn,et al.  Building Secure High-Performance Web Services with OKWS , 2004, USENIX Annual Technical Conference, General Track.

[3]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[4]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[5]  David Mazières,et al.  A Toolkit for User-Level File Systems , 2001, USENIX Annual Technical Conference, General Track.

[6]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[7]  Jonathan S. Shapiro,et al.  The KeyKOS Nanokernel Architecture , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[8]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[9]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[10]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[11]  Stephanie Forrest,et al.  Anomaly intrusion detection in dynamic execution environments , 2002, NSPW '02.

[12]  David Mazières,et al.  REX: Secure, Extensible Remote Execution , 2004, USENIX Annual Technical Conference, General Track.

[13]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[14]  Ian Goldberg,et al.  A secure environment for untrusted helper applications confining the Wily Hacker , 1996 .

[15]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[16]  Ken Thompson,et al.  The use of name spaces in Plan 9 , 1993, OPSR.

[17]  Todd Fine,et al.  Assuring Distributed Trusted Mach , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[19]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[20]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.

[21]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[22]  Ken Thompson,et al.  Plan 9 from Bell Labs , 1995 .

[23]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[24]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[25]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[26]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[27]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[28]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.