Salus: Non-hierarchical Memory Access Rights to Enforce the Principle of Least Privilege

نویسندگان

  • Niels Avonds
  • Raoul Strackx
  • Pieter Agten
  • Frank Piessens
چکیده

Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can only be accessed through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacker that is able to gain in-application level access may be able to abuse services from protected modules. We propose Salus, a Linux kernel modification that provides a novel approach for partitioning processes into isolated compartments. By enabling compartments to restrict the system calls they are allowed to perform and to authenticate their callers and callees, the impact of unsafe interfaces and vulnerable compartments is significantly reduced. We describe the design of Salus, report on a prototype implementation and evaluate it in terms of security and performance. We show that Salus provides a significant security improvement with a low performance overhead, without relying on any non-standard hardware support.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Specifying and enforcing the principle of least privilege in role-based access control

The principle of least privilege in role-based access control (RBAC) is an important area of research. There are two crucial issues related to it: the specification and the enforcement. We believe that existing least privilege specification schemes are not comprehensive enough and few of the enforcement methods are likely to scale well. In this paper, we formally define the basic principle of l...

متن کامل

Research of Least Privilege for Database Administrators

Traditional database administrator (DBA) privileges are too high, which causes insider security threat problem. To solve this problem, an extended Role Based Access Control (RBAC) rights management model for DBA was brought out in this paper. Combined with the principle of least privilege security, this paper proposes a scheme which contains three management roles separation and dynamic constra...

متن کامل

Parameterized Authentication

We describe an approach to sensor-based authentication that can adapt to accommodate incomplete, unreliable, or inaccurate input provided to the system. Parameterized Authentication moves beyond the traditional approach to security by acknowledging that identity verification cannot always produce perfect results. Our model addresses such inherent imperfections by introducing a metric, the Authe...

متن کامل

Hardware support for compartmentalisation

Compartmentalisation is a technique to reduce the impact of security bugs by enforcing the ‘principle of least privilege’ within applications. Splitting programs into separate components that each operate with minimal access to resources means that a vulnerability in one part is prevented from affecting the whole. However, the performance costs and development effort of doing this have so far p...

متن کامل

How Emily Tamed the Caml

security, programming, performance How does one make a program breach resistant? One promising approach is to apply the Principle of Least Authority at object granularity. The E language has previously demonstrated that object-capability languages turn many of the security requirements for software into emergent properties of traditional object-oriented design and modularity enforcement. Emily ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2013