DATE: Thursday, October 21, 2004
TIME: Noon - 1 pm
PLACE: Wean Hall 8220
SPEAKER:
David Brumley
CMU
TITLE:
Privtrans: Automatically Partitioning Programs for Privilege Separation
ABSTRACT:
Privileged programs, such as system daemons, setuid programs, and system
maintenance programs, are the most common targets attacked by intruders,
viruses, and worms. Since most privileged programs are written in C --
an unsafe language -- an intruder can elevate their privileges by
exploiting a bug anywhere in the privileged program -- even those
operations that don't require privileges.
Privilege separation partitions a single program into two protection domains: a privileged monitor and an unprivileged slave. The slave and monitor cooperate to behave as the original program. All trust and privileges are relegated to the monitor, which results in a smaller and more easily secured trust base. Previously the privilege separation process, i.e., partitioning one program into the monitor and slave, was done by hand which is time-consuming and error-prone.
We have designed and developed the first automatic approach for
privilege separation. We use static analysis and C-to-C translation to
separate the original program into the monitor and slave. We also
combine static analysis and dynamic checks for better precision and
performance. Our approach uses the strongest model of privilege
separation, allows for fine-grained policies to be implemented in the
monitor, and allows us to track and re-incorporate privilege separation
as source code evolves. We have successfully incorporated privilege
separation into several open source programs, including OpenSSH, which
had previously been separated by hand.
In this talk I will describe our techniques and our implementation, called Privtrans. I will also discuss our results in automatically partitioning programs. This is joint work with Dawn Song. The paper has appeared in USENIX Security Symposium, August 2004. This talk is in partial fulfillment of the speaking requirement.
BIO:
David Brumley is a second year PhD student. Before coming to CMU, he
received a masters from Stanford. He is interested in all aspects of
computer security.
SDI / LCS Seminar Questions?
Karen Lindenfelser, 86716, or visit www.pdl.cmu.edu/SDI/