Toward least-privilege isolation for software

Hackers leverage software vulnerabilities to disclose, tamper with, or destroy sensitive data. To protect sensitive data, programmers can adhere to the principle of least-privilege, which entails giving software the minimal privilege it needs to operate, which ensures that sensitive data is only available to software components on a strictly need-to-know basis. Unfortunately, applying this principle in practice is dif- �cult, as current operating systems tend to provide coarse-grained mechanisms for limiting privilege. Thus, most applications today run with greater-than-necessary privileges. We propose sthreads, a set of operating system primitives that allows �ne-grained isolation of software to approximate the least-privilege ideal. sthreads enforce a default-deny model, where software components have no privileges by default, so all privileges must be explicitly granted by the programmer. Experience introducing sthreads into previously monolithic applications|thus, partitioning them|reveals that enumerating privileges for sthreads is di�cult in practice. To ease the introduction of sthreads into existing code, we include Crowbar, a tool that can be used to learn the privileges required by a compartment. We show that only a few changes are necessary to existing code in order to partition applications with sthreads, and that Crowbar can guide the programmer through these changes. We show that applying sthreads to applications successfully narrows the attack surface by reducing the amount of code that can access sensitive data. Finally, we show that applications using sthreads pay only a small performance overhead. We applied sthreads to a range of applications. Most notably, an SSL web server, where we show that sthreads are powerful enough to protect sensitive data even against a strong adversary that can act as a man-in-the-middle in the network, and also exploit most code in the web server; a threat model not addressed to date

DEVELOPING AN EXPANDABLE GUI TOOL TO ENHANCE NETWORKING EDUCATION: GRAPHICAL USER INTERFACE FOR SHELL ENTRY (GUISE)

The lack of systemic education dedicated to computer networks and the general inadequacy of students' comprehension of the structure and the dynamics of the networks are arguably issues in most public schools. In the situation where the internet is a commodity, the increase in the threat of global attacks on many computing resources is exceptionally high, and so is the consequential importance of the global cyber workforce. Most people achieve their basic understanding through their routine use of computers at home, and it is both pragmatic and more effective to consider using basic home tools because of their didactic benefits. We designed and developed GUISE (GUI for Shell Entry) as an intuitive interface that makes command entry and network analysis easier for masses of users. GUISE leverages the operating system's capabilities and allows inexperienced users with no expertise in the computer networking domain to acquire enhanced network situational awareness in a competent manner. The ultimate benefit of the GUISE tool is providing its users with an educational aspect focused on the networking elements of their home computer infrastructure. That approach has the potential to directly support the growth of their networking literacy and proficiency, and their navigation of the networking landscape with enhanced confidence and safety.Outstanding ThesisCivilian, SFSApproved for public release. Distribution is unlimited

Improved Architectures for Secure Intra-process Isolation

Intra-process memory isolation can improve security by enforcing least-privilege at a finer granularity than traditional operating system controls without the context-switch overhead associated with inter-process communication. Because the process has traditionally been a fundamental security boundary, assigning different levels of trust to components within a process is a fundamental change in secure systems design. However, so far there has been little research on the challenges of securely implementing intra-process isolation on top of existing operating system abstractions. We find that frequently-used assumptions in secure system design do not precisely hold under realistic conditions, and that these discrepancies lead to exploitable vulnerabilities. We evaluate two recently-proposed memory isolation systems and show that both are vulnerable to the same generic attacks that break their security model. We then extend a subset of these attacks by applying them to a fully-precise model of control-flow integrity, demonstrating a data-only attack that bypasses both static and dynamic control-flow integrity enforcement by overwriting executable code in-memory even under typical w^x assumptions. From these two results, we propose a set of kernel modifications called Xlock that systemically addresses weaknesses in memory permissions enforcement on Linux, bringing them into line with w^x assumptions. Finally, we present modifications to intra-process isolation systems that preserve efficient userspace component transitions while drastically reducing risk of accidental kernel mismanagement by modeling intra-process components as separate processes from the kernel\u27s perspective. Taken together, these mitigations represent a more robust architecture for efficient and secure intra-process isolation