Visible to the public Towards Practical Application-level Support for Privilege Separation


Privilege separation (privsep) is an effective technique for improving software’s security, but privsep involves decomposing software into components and assigning them different privileges. This is often laborious and error-prone. This paper contributes the following for applying privsep to C software: (1) a portable, lightweight, and distributed runtime library that abstracts externally-enforced compartment isolation; (2) an abstract compartmentalization model of software for reasoning about privsep; and (3) a privsep-aware Clang-based tool for code analysis and semi-automatic software transformation to use the runtime library. The evaluation spans 19 compartmentalizations of third-party

software and examines: Security: 4 CVEs in widely-used software were rendered unexploitable; Approximate Effort Saving: on average, the synthesisto-annotation code ratio was greater than 11.9 (i.e., 10× lines of code were generated for each annotation); and Overhead: executiontime overhead was less than 2%, and memory overhead was linear in the number of compartments.


Nik Sultana is an assistant professor of Computer Science at Illinois Tech in Chicago. His research focuses on distributed system techniques that leverage programming theory, formal logic, and practical systems engineering. He completed his PhD at Cambridge University's Automated Reasoning Group, where I worked on a compiler-based approach to proof translation. Before joining Illinois Tech he postdoc'd at the UPenn Distributed Systems Lab and at the Cambridge Systems Research Group.

Creative Commons 2.5
Switch to experimental viewer