NSDI '08 – Abstract
Pp. 309–322 of the Proceedings
Wedge: Splitting Applications into Reduced-Privilege Compartments
Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp, University College London
Abstract
Software vulnerabilities and bugs persist, and so exploits continue to
cause significant damage, particularly by divulging users' sensitive
data to miscreants. Yet the vast majority of networked applications
remain monolithically structured, in stark contravention of the ideal
of least-privilege partitioning. Like others before us, we believe
this state of affairs continues because today's operating systems
offer isolation primitives that are cumbersome. We present Wedge, a system well suited to the splitting of complex, legacy,
monolithic applications into fine-grained, least-privilege
compartments. Wedge consists of two synergistic parts: OS primitives
that create compartments with default-deny semantics, which
force the programmer to make compartments' privileges explicit; and
Crowbar, a pair of run-time analysis tools that assist the
programmer in determining which code needs which privileges for which
memory objects. By implementing the Wedge system atop Linux, and
applying it to the SSL-enabled Apache web server and the OpenSSH login
server, we demonstrate that Wedge allows fine-grained
compartmentalization of applications to prevent the leakage of
sensitive data, at acceptable performance cost. We further show that
Wedge is powerful enough to prevent a subtle man-in-the-middle attack
that succeeds on a more coarsely privilege-separated Apache web
server.
- View the full text of this paper in HTML and PDF. Listen to the presentation in
MP3 format.
The Proceedings are published as a collective work, © 2008 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
|