Skip to main content
SpringerLink
Log in

Trellis: Privilege Separation for Multi-user Applications Made Easy

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

Operating systems provide a wide variety of resource isolation and access control mechanisms, ranging from traditional user-based security models to fine-grained permission systems as found in modern mobile operating systems. However, comparatively little assistance is available for defining and enforcing access control policies within multi-user applications. These applications, often found in enterprise environments, allow multiple users to operate at different privilege levels in terms of exercising application functionality and accessing data. Developers of such applications bear a heavy burden in ensuring that security policies over code and data in this setting are properly expressed and enforced.

We present Trellis, an approach for expressing hierarchical access control policies in applications and enforcing these policies during execution. The approach enhances the development toolchain to allow programmers to partially annotate code and data with simple privilege level tags, and uses a static analysis to infer suitable tags for the entire application. At runtime, policies are extracted from the resulting binaries and are enforced by a modified operating system kernel. Our evaluation demonstrates that this approach effectively supports the development of secure multi-user applications with modest runtime performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Apache Shiro. https://shiro.apache.org/index.html

  2. HomeBank. http://homebank.free.fr

  3. Linux Desktop Testing Project. http://ldtp.freedesktop.org/

  4. Parasite. https://chipx86.github.io/gtkparasite

  5. SELinux. http://selinuxproject.org

  6. Spring Security. http://projects.spring.io/spring-security

  7. AbadĂ­, M., Fournet, C.: Access control based on execution history. In: NDSS (2003)

    Google Scholar 

  8. Badger, L., Sterne, D., Sherman, D., Walker, K.M., Haghighat, S.A.: A domain and type enforcement UNIX prototype. In: USENIX Security (1995)

    Google Scholar 

  9. Bittau, A., Marchenko, P., Handley, M., Karp, B.: Wedge: splitting applications into reduced-privilege compartments. In: USENIX NSDI (2008)

    Google Scholar 

  10. Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX Security (2004)

    Google Scholar 

  11. Carson, M.E.: Sendmail without the superuser. In: USENIX Security (1993)

    Google Scholar 

  12. Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: ACM SOSP (2007)

    Google Scholar 

  13. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security (1998)

    Google Scholar 

  14. Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: ACM SOSP (2005)

    Google Scholar 

  15. Evans, C.: Very Secure FTP Daemon. http://security.appspot.com/vsftpd.html

  16. Kilpatrick, D.: Privman: a library for partitioning applications. In: USENIX ATC (2003)

    Google Scholar 

  17. Kim, T., Zeldovich, N.: Making Linux protection mechanisms egalitarian with UserFS. In: USENIX Security (2010)

    Google Scholar 

  18. Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: ACM SOSP (2007)

    Google Scholar 

  19. McCamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: USENIX Security (2006)

    Google Scholar 

  20. Morrisett, G., Tan, G., Tassarotti, J., Tristan, J.B., Gan, E.: RockSalt: better, faster, stronger SFI for the x86. In: ACM PLDI (2012)

    Google Scholar 

  21. Mulliner, C., Robertson, W., Kirda, E.: Hidden GEMs: automated discovery of access control vulnerabilities in graphical user interfaces. In: IEEE Security and Privacy (2014)

    Google Scholar 

  22. Murray, D.G., Hand, S.: Privilege separation made easy: trusting small libraries not big processes. In: EuroSec (2008)

    Google Scholar 

  23. Peterson, D., Bishop, M., Pandey, R.: A flexible containment mechanism for executing untrusted code. In: USENIX Security (2002)

    Google Scholar 

  24. Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: USENIX Security (2003)

    Google Scholar 

  25. Saltzer, J.H.: Protection and the control of information sharing in multics. Commun. ACM 17(7), 388–402 (1974)

    Article  Google Scholar 

  26. Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: a fast capability system. In: ACM SOSP (1999)

    Google Scholar 

  27. The PaX Team: PaX Address Space Layout Randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt

  28. Venema, W.: The Postfix Homepage. http://www.postfix.org/

  29. Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: ACM SOSP (1993)

    Google Scholar 

  30. Walker, K.M., Sterne, D.F., Badger, M.L., Petkac, M.J., Sherman, D.L., Oostendorp, K.A.: Confining root programs with domain and type enforcement (DTE). In: USENIX Security (1996)

    Google Scholar 

  31. Wilkes, M.V.: The Cambridge CAP Computer and Its Operating System. North-Holland Publishing Co., Amsterdam (1979)

    Google Scholar 

  32. Wu, Y., Sun, J., Liu, Y., Dong, J.S.: Automatically partition software into least privilege components using dynamic data dependency analysis. In: IEEE/ACM ASE (2013)

    Google Scholar 

  33. Zdancewic, S., Zheng, L., Nystrom, N., Myers, A.C.: Secure program partitioning. ACM Trans. Comput. Syst. 20(3), 283–328 (2002)

    Article  Google Scholar 

  34. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: USENIX OSDI (2006)

    Google Scholar 

  35. Zheng, L., Chong, S., Myers, A.C., Zdancewic, S.: Using replication and partitioning to build secure distributed systems. In: IEEE Security and Privacy (2003)

    Google Scholar 

Download references

Acknowledgments

We would like to thank our shepherd Vasileios P. Kemerlis for his helpful feedback. This work was supported by the National Science Foundation (NSF) under grant CNS-1409738, and Secure Business Austria.

Author information

Authors and Affiliations

  1. Northeastern University, Boston, USA

    Andrea Mambretti, Kaan Onarlioglu, Collin Mulliner, William Robertson & Engin Kirda

  2. Politecnico di Milano, Milano, Italy

    Federico Maggi & Stefano Zanero

Authors
  1. Andrea Mambretti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kaan Onarlioglu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Collin Mulliner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. William Robertson
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Federico Maggi
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Stefano Zanero
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrea Mambretti .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Mambretti, A. et al. (2016). Trellis: Privilege Separation for Multi-user Applications Made Easy. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation