Quantitative Privilege Separation with Pointer Supports
Open Access
- Author:
- Liu, Shen
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- January 23, 2020
- Committee Members:
- Gang Tan, Dissertation Advisor/Co-Advisor
Gang Tan, Committee Chair/Co-Chair
Trent Ray Jaeger, Committee Member
Danfeng Zhang, Committee Member
Peng Liu, Outside Member
Chitaranjan Das, Program Head/Chair - Keywords:
- Privilege Separation
Program Analysis
Software Security - Abstract:
- Partitioning a security-sensitive application into least-privileged components and putting each into a separate protection domain have long been a goal of security practitioners and researchers. However, existing techniques suffer from several obstacles that prevent program partitioning from being adopted in practice. For example, in C/C++ programs, the presence of pointers makes calculating data dependence, a key step in program partitioning, difficult and hard to scale; furthermore, C-style pointers do not carry bounds information, making it impossible to automatically marshall and unmarshall pointer data when they are sent across the boundary of partitions. More importantly, traditional partitioning approaches, which are based on static analysis, cannot find the optimal boundary for partitioning automatically. Programmers still have to do lots of manual work (e.g., declassification) to adjust the partitioning boundary to balance between performance and security. Furthermore, past partitioning systems only support a single label (i.e., sensitive vs. non-sensitive). It is useful to extend the program partitioning approach to support multiple labels, since complicated software usually handles sensitive data from multiple sources. In this dissertation, we introduce our work for solving these problems in privilege separation. First, we propose a set of techniques for supporting general pointers in automatic program partitioning. Our system, called PtrSplit, constructs a Program Dependence Graph (PDG) for tracking data and control dependencies in the input program and employs a parameter-tree approach for representing data of pointer types; this approach is modular and avoids global pointer analysis. Ptrsplit performs selective pointer bounds tracking to enable marshalling/unmarshalling of pointer data. Furthermore, we develop a toolchain called Program-mandering(PM), which can automatically find the optimal boundary in secure program partitioning, according to user-provided constraints. The optimal boundary is selected by solving an integer programming model that simultaneously considers both security and performance. As a result, functions in the sensitive module but right on the optimal boundary are automatically declassified. We use experiments to show that Ptrsplit and PM work effectively on real-world security programs. Finally, we also extend our framework to support more general partitioning – partitioning an application into multiple modules instead of only two to protect different kinds of sensitive data separately.