1 / 25

Trellis: Privilege Separation for Multi-User Applications Made Easy

Explore the approach of Trellis for enforcing access control policies in multi-user applications through hierarchical privilege separation. The framework is implemented with real-world application evaluation and offers a prototype based on LLVM/Clang, GNU C Library, and Linux Kernel.

jessicaddavis
Download Presentation

Trellis: Privilege Separation for Multi-User Applications Made Easy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NEU SECLAB Trellis: Privilege Separation for Multi-User ApplicationsMade Easy Andrea Mambretti KaanOnarlioglu, Collin Mulliner, William Robertson, EnginKirda Northeastern University Federico Maggi, Stefano Zanero Politecnico di Milano

  2. Unsolved Problem? Secunia review 2015 – Vulnerabilities in the 5 Most Popular Browser

  3. NEU SECLAB Privilege Escalation “more” Priv “less” Priv Exploit Vuln Attacker Code (e.g. ssh server)

  4. Current Mitigations

  5. NEU SECLAB GEM [Mulliner(2014)] Multi-User Applications? Behind the scenes voidnew_article() { /* Not for test1 user */ article=gettext(); record(article); } Button used for Access Control Button used for Access Control

  6. NEU SECLAB Threat Model Logic vulnerability • Enforcing the access to new_article() using the GUI • (e.g., disabling the button) Button used for Access Control Memory corruption vulnerability • Exploit “test1” available functions and hijack the control flow to new_article()

  7. NEU SECLAB Previous Work - Privtrans Application Monitor UNPRIV Privtrans RPC Library PRIV Privtrans UNPRIV PrivUnPriv Slave D. Brumley, and D. Song. USENIX Security ’04

  8. Previous Work - Limitations Does not support multiple roles IPC overhead Physical application partitioning

  9. Trellis Approach Trellis-aware Application Application R. 1 R. 4 R. 2 R. 3 R. 3 R. 2 Trellis R. 2 R. 4 R.1 R. 1 Annotations Application Preparation

  10. Trellis Approach Trellis-aware Application Trellis-aware Application R. 4 R. 4 R. 3 R. 3 Trellis Role Change R. 2 R. 2 R. 1 R. 1 Runtime

  11. Trellis Contributions OS-based application development framework for multi-user application to enforce Hierarchical-Base Access Control policies (HBAC) Prototype implementation based on LLVM/Clang, GNU C Library, and the Linux Kernel Real-world application evaluation

  12. Implementation Partially Annotated Code Instrumented Annotated Code Annotation Propagation Syscall Insertion and Error Handler Code & Data Partitioning Fully Annotated Code Privilege Separated Code Binary Preparation

  13. Implementation Fun_1 Role:3 Fun_2 Role:5 Fun_1 Role:3 Fun_2 Role:5 Callers Fun_3 Role:None Fun_3 Role:3 Callee Input Output

  14. Implementation Partially Annotated Code Instrumented Annotated Code Annotation Propagation Syscall Insertion and Error Handler Code & Data Partitioning Fully Annotated Code Privilege Separated Code Binary Preparation

  15. Implementation Authentication Mechanism Trellis-aware Application OS start_auth(3) prompt_user_request(3) R. 6 R. 5 cred = read_input() R. 4 Fun_A R. 3 R. 2 verify(cred) if (auth(3)) { Fun_A() } else error_handler() lock(1) R. 1 unlock(3) Fun_A() lock(1)

  16. Implementation Partially Annotated Code Instrumented Annotated Code Annotation Propagation Syscall Insertion and Error Handler Code & Data Partitioning Fully Annotated Code Privilege Separated Code Binary Preparation

  17. Implementation Trellis-aware App on disk Trellis-aware App in memory fun_1 : role 1 fun_2 : role 1 gv_1 : role 1 fun_1 : role 1 fun_2 : role 1 gv_1 : role 1 fun_3 : role 2 gv_3 : role 3 fun_4 : role 4 fun_1 : role 1 fun_2 : role 1 gv_1 : role 1 fun_3 : role 2 gv_2 : role 3 fun_4 : role 4 Memory page alignment fun_3 : role 2 gv_2 : role 3 fun_4 : role 4 Without Partitioning With Partitioning

  18. Implementation - Runtime Remove accessprivileges for memory segments containing non-accessible roles PAM-based Authentication during application role switching Custom program loader to initialize the metadata in kernel-space Multi-heap page-basedAllocator for protecting dynamic allocated data

  19. Implementation trellis_alloc(size,role) ……… heap_2 heap_4 heap_n heap_3 heap_1 List of heaps, each for one role 1 Page 2 Pages List of chunks of page size

  20. Evaluation

  21. Evaluation Micro-Benchmarks End-to-end Performance Developer Effort Security Experiments

  22. Evaluation

  23. Discussion and Future works Binary privilege separation Just-in-time compiler support Indirect function call analysis integration Data declassification

  24. Conclusions OS-based application development framework for multi-user application to enforce Hierarchical-Base Access Control policies (HBAC) Prototype implementation based on LLVM/Clang, GNU C Library, and the Linux Kernel Real-world application evaluation Trellis is now open-source and available at https://github.com/m4mbr3/trellis.git

  25. Questions?

More Related