TY - GEN
T1 - Fine-grained Program Partitioning for Security
AU - Huang, Zhen
AU - Jaeger, Trent
AU - Tan, Gang
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/4/26
Y1 - 2021/4/26
N2 - Complex software systems are often not designed with the principle of least privilege, which requires each component be given the minimum amount of privileges to function. As a result, software vulnerabilities in less privileged code can lead to privilege escalation, defeating security and privacy. Privilege separation is the process of automatically partitioning a software system into least privileged components, and we argue that it is effective at reducing the attack surface. However, previous privilege-separation systems do not provide fine-grained separation of privileged code and non-privileged code co-existing in the same function for C/C++ applications. We propose a fine-grained partitioning technique for supporting fine-grained separation in automatic program partitioning. The technique has been applied to a set of security-sensitive networking and interactive programs. Results show that it can automatically generate executable partitions for C applications; further, partitioned programs incur acceptable runtime overheads.
AB - Complex software systems are often not designed with the principle of least privilege, which requires each component be given the minimum amount of privileges to function. As a result, software vulnerabilities in less privileged code can lead to privilege escalation, defeating security and privacy. Privilege separation is the process of automatically partitioning a software system into least privileged components, and we argue that it is effective at reducing the attack surface. However, previous privilege-separation systems do not provide fine-grained separation of privileged code and non-privileged code co-existing in the same function for C/C++ applications. We propose a fine-grained partitioning technique for supporting fine-grained separation in automatic program partitioning. The technique has been applied to a set of security-sensitive networking and interactive programs. Results show that it can automatically generate executable partitions for C applications; further, partitioned programs incur acceptable runtime overheads.
UR - http://www.scopus.com/inward/record.url?scp=85106205651&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85106205651&partnerID=8YFLogxK
U2 - 10.1145/3447852.3458717
DO - 10.1145/3447852.3458717
M3 - Conference contribution
AN - SCOPUS:85106205651
T3 - EuroSec 2021 - Proceedings of the 14th European Workshop on Systems
SP - 21
EP - 26
BT - EuroSec 2021 - Proceedings of the 14th European Workshop on Systems
PB - Association for Computing Machinery, Inc
T2 - 14th European Workshop on Systems, EuroSec 2021
Y2 - 26 April 2021
ER -