Hackers leverage software vulnerabilities to disclose, tamper with, or destroy sensitive
data. To protect sensitive data, programmers can adhere to the principle of
least-privilege, which entails giving software the minimal privilege it needs to operate,
which ensures that sensitive data is only available to software components on a
strictly need-to-know basis. Unfortunately, applying this principle in practice is dif-
�cult, as current operating systems tend to provide coarse-grained mechanisms for
limiting privilege. Thus, most applications today run with greater-than-necessary
privileges. We propose sthreads, a set of operating system primitives that allows
�ne-grained isolation of software to approximate the least-privilege ideal. sthreads
enforce a default-deny model, where software components have no privileges by default,
so all privileges must be explicitly granted by the programmer.
Experience introducing sthreads into previously monolithic applications|thus,
partitioning them|reveals that enumerating privileges for sthreads is di�cult in
practice. To ease the introduction of sthreads into existing code, we include Crowbar,
a tool that can be used to learn the privileges required by a compartment. We
show that only a few changes are necessary to existing code in order to partition
applications with sthreads, and that Crowbar can guide the programmer through
these changes. We show that applying sthreads to applications successfully narrows
the attack surface by reducing the amount of code that can access sensitive data.
Finally, we show that applications using sthreads pay only a small performance
overhead. We applied sthreads to a range of applications. Most notably, an SSL
web server, where we show that sthreads are powerful enough to protect sensitive
data even against a strong adversary that can act as a man-in-the-middle in the
network, and also exploit most code in the web server; a threat model not addressed
to date
