Program-mandering: Quantitative privilege separation

Shen Liu, Dongrui Zeng, Stephen McCamant, Yongzhe Huang, Trent Jaeger, Frank Capobianco, Gang Tan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.

Original languageEnglish (US)
Title of host publicationCCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1023-1040
Number of pages18
ISBN (Electronic)9781450367479
DOIs
StatePublished - Nov 6 2019
Event26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019 - London, United Kingdom
Duration: Nov 11 2019Nov 15 2019

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
CountryUnited Kingdom
CityLondon
Period11/11/1911/15/19

Fingerprint

Integer programming
Flow control
Experiments

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Liu, S., Zeng, D., McCamant, S., Huang, Y., Jaeger, T., Capobianco, F., & Tan, G. (2019). Program-mandering: Quantitative privilege separation. In CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 1023-1040). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3319535.3354218
Liu, Shen ; Zeng, Dongrui ; McCamant, Stephen ; Huang, Yongzhe ; Jaeger, Trent ; Capobianco, Frank ; Tan, Gang. / Program-mandering : Quantitative privilege separation. CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2019. pp. 1023-1040 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{cd34b2dc858846cd8b3dec8c5bbb54ae,
title = "Program-mandering: Quantitative privilege separation",
abstract = "Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.",
author = "Shen Liu and Dongrui Zeng and Stephen McCamant and Yongzhe Huang and Trent Jaeger and Frank Capobianco and Gang Tan",
year = "2019",
month = "11",
day = "6",
doi = "10.1145/3319535.3354218",
language = "English (US)",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "1023--1040",
booktitle = "CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security",

}

Liu, S, Zeng, D, McCamant, S, Huang, Y, Jaeger, T, Capobianco, F & Tan, G 2019, Program-mandering: Quantitative privilege separation. in CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1023-1040, 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, United Kingdom, 11/11/19. https://doi.org/10.1145/3319535.3354218

Program-mandering : Quantitative privilege separation. / Liu, Shen; Zeng, Dongrui; McCamant, Stephen; Huang, Yongzhe; Jaeger, Trent; Capobianco, Frank; Tan, Gang.

CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2019. p. 1023-1040 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Program-mandering

T2 - Quantitative privilege separation

AU - Liu, Shen

AU - Zeng, Dongrui

AU - McCamant, Stephen

AU - Huang, Yongzhe

AU - Jaeger, Trent

AU - Capobianco, Frank

AU - Tan, Gang

PY - 2019/11/6

Y1 - 2019/11/6

N2 - Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.

AB - Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.

UR - http://www.scopus.com/inward/record.url?scp=85075939352&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85075939352&partnerID=8YFLogxK

U2 - 10.1145/3319535.3354218

DO - 10.1145/3319535.3354218

M3 - Conference contribution

AN - SCOPUS:85075939352

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1023

EP - 1040

BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -

Liu S, Zeng D, McCamant S, Huang Y, Jaeger T, Capobianco F et al. Program-mandering: Quantitative privilege separation. In CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2019. p. 1023-1040. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/3319535.3354218