Towards Automated Privilege Separation

Bapat, Dhananjay; Butler, Kevin; McDaniel, Patrick

doi:10.1007/978-3-540-77086-2_24

Cited by 1 publication

(1 citation statement)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is also more limited, as the partitions are more rigidly defined. Bapat et al [3] investigate the automatic specification of the privileged Systrace segments using black box analysis. Similarly to Systrace, the Privman library [21] provides a systematic and reusable approach for partitioning operations that require higher privileges through the provided API.…”

Section: Privilege Separationmentioning

confidence: 99%

Adaptive defenses for commodity software through virtual application partitioning

Geneiatakis

Portokalidis

Kemerlis

et al. 2012

Proceedings of the 2012 ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

Applications can be logically separated to parts that face different types of threats, or suffer dissimilar exposure to a particular threat because of external events or innate properties of the software. Based on this observation, we propose the virtual partitioning of applications that will allow the selective and targeted application of those protection mechanisms that are most needed on each partition, or manage an application's attack surface by protecting the most exposed partition. We demonstrate the value of our scheme by introducing a methodology to automatically partition software, based on the intrinsic property of user authentication. Our approach is able to automatically determine the point where users authenticate, without access to source code. At runtime, we employ a monitor that utilizes the identified authentication points, as well as events like accessing specific files, to partition execution and adapt defenses by switching between protection mechanisms of varied intensity, such as dynamic taint analysis and instruction-set randomization. We evaluate our approach using seven well-known network applications, including the MySQL database server. Our results indicate that our methodology can accurately discover authentication points. Furthermore, we show that using virtual partitioning to apply costly protection mechanisms can reduce performance overhead by up to 5x, depending on the nature of the application.

show abstract

Section: Privilege Separationmentioning

confidence: 99%