Towards a Theory of Application Compartmentalisation

  • Robert N. M. Watson
  • Steven J. Murdoch
  • Khilan Gudka
  • Jonathan Anderson
  • Peter G. Neumann
  • Ben Laurie
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8263)

Abstract

Application compartmentalisation decomposes software applications into sandboxed components, each delegated only the rights it requires to operate. Compartmentalisation is seeing increased deployment in vulnerability mitigation, motivated informally by appeal to the principle of least privilege. Drawing a comparison with capability systems, we consider how a distributed system interpretation supports an argument that compartmentalisation improves application security.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Accetta, M., Baron, R., Golub, D., Rashid, R., Tevanian, A., Young, M.: Mach: A New Kernel Foundation for UNIX Development. Tech. rep., Computer Science Department, Carnegie Mellon University (August 1986)Google Scholar
  2. 2.
    Anderson, J.P.: Computer Security Technology Planning Study. Tech. rep., Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01730 (October 1972)Google Scholar
  3. 3.
    Andronick, J., Greenaway, D., Elphinstone, K.: Towards proving security in the presence of large untrusted components. In: Proceedings of the 5th Workshop on Systems Software Verification (October 2010)Google Scholar
  4. 4.
    Bittau, A., Marchenko, P., Handley, M., Karp, B.: Wedge: Splitting Applications into Reduced-Privilege Compartments. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, pp. 309–322. USENIX Association (2008)Google Scholar
  5. 5.
    Boebert, W.E., Kain, R.Y.: A practical alternative to hierarchical integrity policies. In: Proceedings of the 8th National Computer Security Conference (1985)Google Scholar
  6. 6.
    Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 5. USENIX Association, Berkeley (2004)Google Scholar
  7. 7.
    Dennis, J.B., Van Horn, E.C.: Programming semantics for multiprogrammed computations. Commun. ACM 9(3), 143–155 (1966)CrossRefMATHGoogle Scholar
  8. 8.
    Gudka, K., Watson, R.N.M., Hand, S., Laurie, B., Madhavapeddy, A.: Exploring compartmentalisation hypotheses with SOAAP. In: Proceedings of the Workshop on Adaptive Host and Network Security (AHANS 2012). IEEE (September 2012)Google Scholar
  9. 9.
    Harris, W.R., Farley, B., Jha, S., Reps, T.: Secure Programming as a Parity Game. Tech. Rep. 1694, University of Wisconsin Madison (July 2011)Google Scholar
  10. 10.
    Karger, P.A.: Limiting the damage potential of discretionary trojan horses. In: IEEE Symposium on Security and Privacy, pp. 32–37 (1987)Google Scholar
  11. 11.
    Kilpatrick, D.P.: A Library for Partitioning Applications. In: Proceedings of USENIX Annual Technical Conference, pp. 273–284. USENIX Association (2003)Google Scholar
  12. 12.
    Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an operating-system kernel. Commun. ACM 53, 107–115 (2009)CrossRefGoogle Scholar
  13. 13.
    Lamport, L., Shostak, R., Pease, M.: The Byzantine generals problem. ACM Transactions on Programming Languages and Systems 4(3), 382–401 (1982)CrossRefMATHGoogle Scholar
  14. 14.
    Levin, R., Cohen, E., Corwin, W., Pollack, F., Wulf, W.: Policy/mechanism separation in Hydra. In: SOSP 1975: Proceedings of the Fifth ACM Symposium on Operating Systems Principles, pp. 132–140. ACM, New York (1975)Google Scholar
  15. 15.
    Lipner, S.B., Wulf, W.A., Schell, R.R., Popek, G.J., Neumann, P.G., Weissman, C., Linden, T.A.: Security kernels. In: AFIPS 1974: Proceedings of the National Computer Conference and Exposition, May 6-10, pp. 973–980. ACM, New York (1974)CrossRefGoogle Scholar
  16. 16.
    Loscocco, P.A., Smalley, S.D.: Integrating Flexible Support for Security Policies into the Linux Operating System. In: Proceedings of the USENIX Annual Technical Conference, pp. 29–42. USENIX Association (June 2001)Google Scholar
  17. 17.
    Mettler, A., Wagner, D., Close, T.: Joe-E: A Security-Oriented Subset of Java. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010 (February 2010)Google Scholar
  18. 18.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (May 2008), http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf
  19. 19.
    Neumann, P.G.: Principled assuredly trustworthy composable architectures. Tech. rep., Computer Science Laboratory, SRI International, Menlo Park (December 2004)Google Scholar
  20. 20.
    Neumann, P.G., Boyer, R.S., Feiertag, R.J., Levitt, K.N., Robinson, L.: A Provably Secure Operating System: The System, Its Applications, and Proofs, Second Edition. Tech. Rep. CSL-116, Computer Science Laboratory, SRI International (May 1980)Google Scholar
  21. 21.
    Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: Proceedings of the 12th Conference on USENIX Security Symposium SSYM 2003, vol. 12, p. 16. USENIX Association, Berkeley (2003)Google Scholar
  22. 22.
    Reis, C., Gribble, S.D.: Isolating web programs in modern browser architectures. In: EuroSys 2009: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 219–232. ACM, New York (2009)Google Scholar
  23. 23.
    Robertson, P., Laddaga, R.: Adaptive security and trust. In: Proceedings of the Workshop on Adative Host and Network Security. IEEE (Septmeber 2012)Google Scholar
  24. 24.
    Saltzer, J.H.: Protection and control of information sharing in Multics. In: SOSP 1973: Proceedings of the fourth ACM Symposium on Operating System Principles. ACM, New York (1973)Google Scholar
  25. 25.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  26. 26.
    Watson, R.N.M., Anderson, J., Laurie, B., Kennaway, K.: Capsicum: Practical capabilities for UNIX. In: Proceedings of the 19th USENIX Security Symposium. USENIX Association, Berkeley (2010)Google Scholar
  27. 27.
    Wilkes, M., Needham, R., The Cambridge, C.A.P.: Computer and Its Operating System. Elsevier North Holland, New York (1979)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Robert N. M. Watson
    • 1
  • Steven J. Murdoch
    • 1
  • Khilan Gudka
    • 1
  • Jonathan Anderson
    • 1
  • Peter G. Neumann
    • 2
  • Ben Laurie
    • 3
  1. 1.University of CambridgeUK
  2. 2.SRI InternationalUSA
  3. 3.Google UK Ltd.UK

Personalised recommendations