Trellis: Privilege Separation for Multi-user Applications Made Easy

  • Andrea MambrettiEmail author
  • Kaan Onarlioglu
  • Collin Mulliner
  • William Robertson
  • Engin Kirda
  • Federico Maggi
  • Stefano Zanero
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)


Operating systems provide a wide variety of resource isolation and access control mechanisms, ranging from traditional user-based security models to fine-grained permission systems as found in modern mobile operating systems. However, comparatively little assistance is available for defining and enforcing access control policies within multi-user applications. These applications, often found in enterprise environments, allow multiple users to operate at different privilege levels in terms of exercising application functionality and accessing data. Developers of such applications bear a heavy burden in ensuring that security policies over code and data in this setting are properly expressed and enforced.

We present Trellis, an approach for expressing hierarchical access control policies in applications and enforcing these policies during execution. The approach enhances the development toolchain to allow programmers to partially annotate code and data with simple privilege level tags, and uses a static analysis to infer suitable tags for the entire application. At runtime, policies are extracted from the resulting binaries and are enforced by a modified operating system kernel. Our evaluation demonstrates that this approach effectively supports the development of secure multi-user applications with modest runtime performance overhead.


Access Control Access Control Policy Access Control Model Memory Allocator Dynamic Memory Allocation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank our shepherd Vasileios P. Kemerlis for his helpful feedback. This work was supported by the National Science Foundation (NSF) under grant CNS-1409738, and Secure Business Austria.


  1. 1.
  2. 2.
  3. 3.
    Linux Desktop Testing Project.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Abadí, M., Fournet, C.: Access control based on execution history. In: NDSS (2003)Google Scholar
  8. 8.
    Badger, L., Sterne, D., Sherman, D., Walker, K.M., Haghighat, S.A.: A domain and type enforcement UNIX prototype. In: USENIX Security (1995)Google Scholar
  9. 9.
    Bittau, A., Marchenko, P., Handley, M., Karp, B.: Wedge: splitting applications into reduced-privilege compartments. In: USENIX NSDI (2008)Google Scholar
  10. 10.
    Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX Security (2004)Google Scholar
  11. 11.
    Carson, M.E.: Sendmail without the superuser. In: USENIX Security (1993)Google Scholar
  12. 12.
    Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: ACM SOSP (2007)Google Scholar
  13. 13.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security (1998)Google Scholar
  14. 14.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: ACM SOSP (2005)Google Scholar
  15. 15.
    Evans, C.: Very Secure FTP Daemon.
  16. 16.
    Kilpatrick, D.: Privman: a library for partitioning applications. In: USENIX ATC (2003)Google Scholar
  17. 17.
    Kim, T., Zeldovich, N.: Making Linux protection mechanisms egalitarian with UserFS. In: USENIX Security (2010)Google Scholar
  18. 18.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: ACM SOSP (2007)Google Scholar
  19. 19.
    McCamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: USENIX Security (2006)Google Scholar
  20. 20.
    Morrisett, G., Tan, G., Tassarotti, J., Tristan, J.B., Gan, E.: RockSalt: better, faster, stronger SFI for the x86. In: ACM PLDI (2012)Google Scholar
  21. 21.
    Mulliner, C., Robertson, W., Kirda, E.: Hidden GEMs: automated discovery of access control vulnerabilities in graphical user interfaces. In: IEEE Security and Privacy (2014)Google Scholar
  22. 22.
    Murray, D.G., Hand, S.: Privilege separation made easy: trusting small libraries not big processes. In: EuroSec (2008)Google Scholar
  23. 23.
    Peterson, D., Bishop, M., Pandey, R.: A flexible containment mechanism for executing untrusted code. In: USENIX Security (2002)Google Scholar
  24. 24.
    Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: USENIX Security (2003)Google Scholar
  25. 25.
    Saltzer, J.H.: Protection and the control of information sharing in multics. Commun. ACM 17(7), 388–402 (1974)CrossRefGoogle Scholar
  26. 26.
    Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: a fast capability system. In: ACM SOSP (1999)Google Scholar
  27. 27.
    The PaX Team: PaX Address Space Layout Randomization (ASLR) (2003).
  28. 28.
    Venema, W.: The Postfix Homepage.
  29. 29.
    Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: ACM SOSP (1993)Google Scholar
  30. 30.
    Walker, K.M., Sterne, D.F., Badger, M.L., Petkac, M.J., Sherman, D.L., Oostendorp, K.A.: Confining root programs with domain and type enforcement (DTE). In: USENIX Security (1996)Google Scholar
  31. 31.
    Wilkes, M.V.: The Cambridge CAP Computer and Its Operating System. North-Holland Publishing Co., Amsterdam (1979)Google Scholar
  32. 32.
    Wu, Y., Sun, J., Liu, Y., Dong, J.S.: Automatically partition software into least privilege components using dynamic data dependency analysis. In: IEEE/ACM ASE (2013)Google Scholar
  33. 33.
    Zdancewic, S., Zheng, L., Nystrom, N., Myers, A.C.: Secure program partitioning. ACM Trans. Comput. Syst. 20(3), 283–328 (2002)CrossRefGoogle Scholar
  34. 34.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: USENIX OSDI (2006)Google Scholar
  35. 35.
    Zheng, L., Chong, S., Myers, A.C., Zdancewic, S.: Using replication and partitioning to build secure distributed systems. In: IEEE Security and Privacy (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Andrea Mambretti
    • 1
    Email author
  • Kaan Onarlioglu
    • 1
  • Collin Mulliner
    • 1
  • William Robertson
    • 1
  • Engin Kirda
    • 1
  • Federico Maggi
    • 2
  • Stefano Zanero
    • 2
  1. 1.Northeastern UniversityBostonUSA
  2. 2.Politecnico di MilanoMilanoItaly

Personalised recommendations