Skip navigation
Please use this identifier to cite or link to this item:
Title: Intra-Process Least Privilege and Isolation for Emerging Applications
Authors: Melara, Marcela Sofia
Advisors: Freedman, Michael J
Contributors: Computer Science Department
Keywords: access control
Internet of Things
least privilege
trusted execution environments
Subjects: Computer science
Issue Date: 2019
Publisher: Princeton, NJ : Princeton University
Abstract: Third-party libraries reduce software development costs and effort. Designed for flexible reuse, libraries implement a small set of features, allowing developers to build applications by combining libraries that provide the desired functionality. However, third-party code also poses a great risk: because the source code is rarely inspected or even accessible by the application developer, bugs or vulnerabilities that can leak sensitive data may go unnoticed. Yet, existing data protection tools are insufficient because they do not enforce least privilege, restricting each library’s access to only those data it needs for its functionality. Prior academic proposals have addressed this issue with two main approaches: (1) running application components in separate processes for strong isolation, or (2) tracking individual data objects throughout the application to prevent unprivileged components from disclosing sensitive information. However, these approaches see limited real-world adoption because they introduce significant development overhead and integration complexity. This dissertation proposes intra-process least privilege, a design principle that facilitates enforcing least privilege for application developers by restricting access at the granularity of individual library functions, and strongly isolating data within a single process address space. We first present Pyronia, a privilege separation system for language runtimes that targets IoT device applications. To protect sensitive OS resources, Pyronia combines three access control techniques: system call interposition, stack inspection, and page table replication. Developers then specify data access rules only for directly imported third- party functions in a central policy. We next present Griffin, a memory access control system for Intel SGX cloud applications. Intel SGX enables developers to run sensitive code inside an enclave, a hardware-protected memory region within an applications address space. However, in practice, developers often include untrusted third-party libraries in the enclave, giving them unfettered access to all in- enclave data. Griffin leverages Memory Protection Keys (MPK) to partition an enclave and assign per-compartment access rules. Developers declare sensitive data objects and access privileges for in-enclave functions. Griffin then automatically confines these data objects in MPK compartments. Pyronia and Griffin demonstrate the effectiveness of our intra-process least privilege approach in today’s privacy-critical applications while easing integration efforts for developers.
Alternate format: The Mudd Manuscript Library retains one bound copy of each dissertation. Search for these copies in the library's main catalog:
Type of Material: Academic dissertations (Ph.D.)
Language: en
Appears in Collections:Computer Science

Files in This Item:
File Description SizeFormat 
Melara_princeton_0181D_13161.pdf915.34 kBAdobe PDFView/Download

Items in Dataspace are protected by copyright, with all rights reserved, unless otherwise indicated.