TY - GEN
T1 - Program-mandering
T2 - 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
AU - Liu, Shen
AU - Zeng, Dongrui
AU - McCamant, Stephen
AU - Huang, Yongzhe
AU - Jaeger, Trent
AU - Capobianco, Frank
AU - Tan, Gang
N1 - Publisher Copyright:
© 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2019/11/6
Y1 - 2019/11/6
N2 - Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.
AB - Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification.
UR - http://www.scopus.com/inward/record.url?scp=85075939352&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85075939352&partnerID=8YFLogxK
U2 - 10.1145/3319535.3354218
DO - 10.1145/3319535.3354218
M3 - Conference contribution
AN - SCOPUS:85075939352
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1023
EP - 1040
BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 11 November 2019 through 15 November 2019
ER -