Abstract
Applications are subject to threat from a number of attack vectors, and limiting their attack surface is vital. By using privilege separation to constrain application access to protected resources, we can mitigate the threats against the application. Previous examinations of privilege separation either entailed significant manual effort or required access to the source code. We consider a method of performing privilege separation through black-box analysis.We consider similar applications to the target and infer states of execution, and determine unique trigger system calls that cause transitions. We use these for the basis of state-based policy enforcement by leveraging the Systrace policy enforcement mechanism. Our results show that we can infer state transitions with a high degree of accuracy, while our modifications to Systrace result in more granular protection by limiting system calls depending on the application’s state. The modified Systrace increases the size of the Apache web server’s policy file by less than 17.5%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Brumley, D., Song, D.: Privtrans: Automatically Partitioning Programs for Privilege Separation. In: Proceedings of the 13th USENIX Security Symposium, pp. 57–72 (2004)
Fink, G., Levitt, K.: Property Based Testing of Privileged Programs. In: Proceedings of the 10th Annual Computer Security Applications Conference, pp. 154–163 (1994)
Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)
Provos, N.: Improving Host Security with System Call Policies. In: Proceedings of the 12th USENIX Security Symposium, pp. 257–272 (August 2003)
Provos, N., Friedl, M., Honeyman, P.: Preventing Privilege Escalation. In: Proceedings of the 12th USENIX Security Symposium, pp. 231–242 (August 2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bapat, D., Butler, K., McDaniel, P. (2007). Towards Automated Privilege Separation. In: McDaniel, P., Gupta, S.K. (eds) Information Systems Security. ICISS 2007. Lecture Notes in Computer Science, vol 4812. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77086-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-540-77086-2_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77085-5
Online ISBN: 978-3-540-77086-2
eBook Packages: Computer ScienceComputer Science (R0)