research-article

Enforcing Least Privilege Memory Views for Multithreaded Applications

Authors:

Terry Ching-Hsiang Hsu,

Patrick Eugster,

Mathias PayerAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 393 - 405

https://doi.org/10.1145/2976749.2978327

Published: 24 October 2016 Publication History

Abstract

Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface and prevent unintended cross-component memory corruption. However, the boundaries and interactions between software components are hard to reason about and existing approaches have failed to stop attackers from exploiting vulnerabilities caused by poor isolation. We present the secure memory views (SMV) model: a practical and efficient model for secure and selective memory isolation in monolithic multithreaded applications. SMV is a third generation privilege separation technique that offers explicit access control of memory and allows concurrent threads within the same process to partially share or fully isolate their memory space in a controlled and parallel manner following application requirements. An evaluation of our prototype in the Linux kernel (TCB < 1,800 LOC) shows negligible runtime performance overhead in real-world applications including Cherokee web server (< 0.69%), Apache httpd web server (< 0.93%), and Mozilla Firefox web browser (< 1.89%) with at most 12 LOC changes.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS '05, pages 340--353, New York, NY, USA, 2005. ACM.

Digital Library

[2]

I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative Technology for CPU based Attestation and Sealing. In Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP '13, New York, NY, USA, 2013. ACM.

[3]

J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee. Language-independent Sandboxing of Just-in-time Compilation and Self-modifying Code. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '11, pages 355--366, New York, NY, USA, 2011. ACM.

Digital Library

[4]

AppArmor. https://wiki.ubuntu.com/AppArmor.

[5]

A. Belay, A. Bittau, A. Mashtizadeh, D. Terei, D. Mazières, and C. Kozyrakis. Dune: Safe User-level Access to Privileged CPU Features. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, OSDI'12, pages 335--348, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[6]

E. D. Berger, K. S. McKinley, R. D. Blumofe, and P. R. Wilson. Hoard: A Scalable Memory Allocator for Multithreaded Applications. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS IX, pages 117--128, New York, NY, USA, 2000. ACM.

Digital Library

[7]

C. Bienia, S. Kumar, J. P. Singh, and K. Li. The PARSEC Benchmark Suite: Characterization and Architectural Implications. In Proceedings of the 17th International Conference on Parallel Architectures and Compilation Techniques, PACT '08, pages 72--81, New York, NY, USA, 2008. ACM.

Digital Library

[8]

A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI'08, pages 309--322, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[9]

D. Brumley and D. Song. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 5--5, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[10]

C. Bryce and C. Razafimahefa. An Approach to Safe Object Sharing. In Proceedings of the 15th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA '00, pages 367--381, New York, NY, USA, 2000. ACM.

Digital Library

[11]

W. Cheng, D. R. K. Ports, D. Schultz, V. Popic, A. Blankstein, J. Cowling, D. Curtis, L. Shrira, and B. Liskov. Abstractions for Usable Information Flow Control in Aeolus. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC'12, pages 12--12, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[12]

Cherokee Web Server. http://cherokee-project.com/.

[13]

N. Dautenhahn, T. Kasampalis, W. Dietz, J. Criswell, and V. Adve. Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, pages 191--206, New York, NY, USA, 2015. ACM.

Digital Library

[14]

Multiprocess Firefox. https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox.

[15]

GDB: The GNU Project Debugger. https://www.gnu.org/software/gdb/.

[16]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 40--40, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[17]

M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo. Using Innovative Instructions to Create Trustworthy Software Solutions. In Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP '13, pages 11:1--11:1, New York, NY, USA, 2013. ACM.

Digital Library

[18]

K. J. Hoffman, H. Metzger, and P. Eugster. Ribbons: A Partially Shared Memory Programming Model. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA '11, pages 289--306, New York, NY, USA, 2011. ACM.

Digital Library

[19]

Interesting stats based on Alexa Top 1,000,000 Sites. http://httparchive.org/interesting.php.

[20]

H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 177--192, Washington, D.C., Aug. 2015. USENIX Association.

Digital Library

[21]

K. Kawachiya, K. Ogata, D. Silva, T. Onodera, H. Komatsu, and T. Nakatani. Cloneable JVM: A New Approach to Start Isolated Java Applications Faster. In Proceedings of the 3rd International Conference on Virtual Execution Environments, VEE '07, pages 1--11, New York, NY, USA, 2007. ACM.

Digital Library

[22]

Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 361--372, Piscataway, NJ, USA, 2014. IEEE Press.

Digital Library

[23]

M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information Flow Control for Standard OS Abstractions. In Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, SOSP '07, pages 321--334, New York, NY, USA, 2007. ACM.

Digital Library

[24]

A. Kurmus and R. Zippel. A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1366--1377, New York, NY, USA, 2014. ACM.

Digital Library

[25]

Linux Test Project. http://sourceforge.net/projects/ltp/.

[26]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

[27]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 143--158, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[28]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An Execution Infrastructure for TCB Minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, New York, NY, USA, 2008. ACM.

Digital Library

[29]

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative Instructions and Software Model for Isolated Execution. In Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP '13, pages 10:1--10:1, New York, NY, USA, 2013. ACM.

Digital Library

[30]

A. Mettler, D. Wagner, and T. Close. Joe-E: A Security-Oriented Subset of Java. In Network and Distributed Systems Symposium, NDSS 2010. Internet Society, 2010.

[31]

A. C. Myers. JFlow: Practical Mostly-static Information Flow Control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '99, pages 228--241, New York, NY, USA, 1999. ACM.

Digital Library

[32]

S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Everything You Want to Know About Pointer-Based Checking. In 1st Summit on Advances in Programming Languages (SNAPL 2015), volume 32 of Leibniz International Proceedings in Informatics (LIPIcs), pages 190--208, Dagstuhl, Germany, 2015. Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik.

[33]

N. Provos, M. Friedl, and P. Honeyman. Preventing Privilege Escalation. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 16--16, Berkeley, CA, USA, 2003. USENIX Association.

Digital Library

[34]

I. Roy, D. E. Porter, M. D. Bond, K. S. McKinley, and E. Witchel. Laminar: Practical Fine-grained Decentralized Information Flow Control. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 63--74, New York, NY, USA, 2009. ACM.

Digital Library

[35]

J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sept 1975.

[36]

J. H. Saltzer. Protection and the Control of Information Sharing in Multics. Commun. ACM, 17(7):388--402, July 1974.

Digital Library

[37]

Same-origin Policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy.

[38]

SECure COMPuting with filters. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt.

[39]

SELinux. https://wiki.centos.org/HowTos/SELinux.

[40]

R. Strackx, P. Agten, N. Avonds, and F. Piessens. Salus: Kernel Support for Secure Process Compartments. EAI Endorsed Transactions on Security and Safety, 15(3), 1 2015.

[41]

R. Strackx and F. Piessens. Fides: Selectively Hardening Software Application Components Against Kernel-level or Process-level Malware. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 2--13, New York, NY, USA, 2012. ACM.

Digital Library

[42]

L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal War in Memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 48--62, Washington, DC, USA, 2013. IEEE Computer Society.

Digital Library

[43]

Valgrind. http://valgrind.org/.

[44]

L. Vilanova, M. Ben-Yehuda, N. Navarro, Y. Etsion, and M. Valero. CODOMs: Protecting Software with Code-centric Memory Domains. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 469--480, Piscataway, NJ, USA, 2014. IEEE Press.

Digital Library

[45]

G. Wagner, A. Gal, C. Wimmer, B. Eich, and M. Franz. Compartmental Memory Management in a Modern Web Browser. In Proceedings of the International Symposium on Memory Management, ISMM '11, pages 119--128, New York, NY, USA, 2011. ACM.

Digital Library

[46]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles, SOSP '93, pages 203--216, New York, NY, USA, 1993. ACM.

Digital Library

[47]

J. Wang, X. Xiong, and P. Liu. Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications. In 2015 USENIX Annual Technical Conference (USENIX ATC 15), pages 361--373, Santa Clara, CA, July 2015. USENIX Association.

Digital Library

[48]

R. N. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical Capabilities for UNIX. In USENIX Security 2010, pages 29--46, 2010.

Digital Library

[49]

J. Woodruff, R. N. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. The CHERI Capability Model: Revisiting RISC in an Age of Risk. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 457--468, Piscataway, NJ, USA, 2014. IEEE Press.

Digital Library

[50]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In 2009 30th IEEE Symposium on Security and Privacy, pages 79--93, May 2009.

Digital Library

[51]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7, OSDI '06, pages 19--19, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

[52]

N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware Enforcement of Application Security Policies Using Tagged Memory. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08, pages 225--240, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

Cited By

Boruch-Gruszecki AGhosn APayer MPit-Claudel C(2024)Gradient: Gradual Compartmentalization via Object Capabilities Tracked in TypesProceedings of the ACM on Programming Languages10.1145/36897518:OOPSLA2(1135-1161)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689751
Yang FHuang WKaoudis KVahldiek-Oberwagner ADautenhahn N(2023)Endoprocess: Programmable and Extensible Subprocess IsolationProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633507(92-101)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633507
Narayan SGarfinkel TTaram MRudek JMoghimi DJohnson EFallin CVahldiek-Oberwagner ALeMay MSahita RTullsen DStefan DAamodt TJerger NSwift M(2023)Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFIProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582023(266-281)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582023
Show More Cited By

Index Terms

Enforcing Least Privilege Memory Views for Multithreaded Applications
1. Security and privacy
  1. Software and application security
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Memory management
        Virtual memory

Recommendations

Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution
Computer Security – ESORICS 2019
Abstract
With the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the ...
Enhanced Privilege Separation for Commodity Software on Virtualized Platform
ICPADS '10: Proceedings of the 2010 IEEE 16th International Conference on Parallel and Distributed Systems

Conventional privilege separation can effectively reduce the TCB size by granting privilege to only the privileged compartments. However, since they this approach relies on process isolation to ensure security assurance, malware exploiting against ...
PrivWatcher: Non-bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Commodity operating systems kernels are typically implemented using low-level unsafe languages, which leads to the inevitability of memory corruption vulnerabilities. Multiple defense techniques are widely adopted to mitigate the impact of memory ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

US National Science Foundation
European Research Council

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
933
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)5

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Boruch-Gruszecki AGhosn APayer MPit-Claudel C(2024)Gradient: Gradual Compartmentalization via Object Capabilities Tracked in TypesProceedings of the ACM on Programming Languages10.1145/36897518:OOPSLA2(1135-1161)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689751
Yang FHuang WKaoudis KVahldiek-Oberwagner ADautenhahn N(2023)Endoprocess: Programmable and Extensible Subprocess IsolationProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633507(92-101)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633507
Narayan SGarfinkel TTaram MRudek JMoghimi DJohnson EFallin CVahldiek-Oberwagner ALeMay MSahita RTullsen DStefan DAamodt TJerger NSwift M(2023)Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFIProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582023(266-281)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582023
Lee HSong CKang B(2023)Harnessing the x86 Intermediate Rings for Intra-Process IsolationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319252420:4(3251-3268)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3192524
Bhattacharyya AHofhammer FLi YGupta SSanchez AFalsafi BPayer M(2023)SecureCells: A Secure Compartmentalized Architecture2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179472(2921-2939)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179472
Khan AXu DTian D(2023)EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179285(2990-3007)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179285
Tarkhani ZMadhavapeddy A(2023)Enabling Lightweight Privilege Separation in Applications with MicroGuardsApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_31(571-598)Online publication date: 4-Oct-2023
https://doi.org/10.1007/978-3-031-41181-6_31
Kirth PDickerson MCrane SLarsen PDabrowski AGens DNa YVolckaert SFranz MBromberg YKermarrec AKozyrakis C(2022)PKRU-safeProceedings of the Seventeenth European Conference on Computer Systems10.1145/3492321.3519582(132-148)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1145/3492321.3519582
Wanninger NBowden JShetty KGarg AHale KBromberg YKermarrec AKozyrakis C(2022)Isolating functions at the hardware limit with virtinesProceedings of the Seventeenth European Conference on Computer Systems10.1145/3492321.3519553(644-662)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1145/3492321.3519553
Wang ZWu CZhang YTang BYew PXie MLai YKang YCheng YShi Z(2022)Making Information Hiding Effective AgainIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.306408619:4(2576-2594)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3064086
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten