July 21, 2014
Somesh Jha
Writing a complex but secure program is a near-impossible task for a conventional operating system. If an attacker compromises any module of a trusted program running on such a system, then the attacker can perform arbitrary operations on the system. However, if a program runs on a privilege-aware operating system, then the program can invoke system calls to explicitly manage the privileges of its modules, and thus minimize the abilities of an attacker. The developers of privilege-aware systems have rewritten complex programs to invoke such system calls to satisfy strong security properties. However, such systems have not been adopted by developers outside the development community of each system. Moreover, even the systems’ own developers often write programs for their system that they believe to be correct, only to realize later through testing that the rewritten program is insecure or does not demonstrate desired functionality of the original program.
In this talk we will examine the challenges in rewriting programs for privilege-aware systems, and present a tool, called a policy weaver, that rewrites programs for such systems automatically. Our policy weaver takes as input a program written for a conventional system and a small and declarative policy (i.e., a regular expression describing allowed program executions). The weaver outputs a version of the program that invokes system calls so that it satisfies the policy. The weaver reduces each rewriting problem to finding a correct strategy to a two-player automata-theoretic safety game. We describe our experience developing a policy weaver for the Capsicum privilege-aware operating system (now included in FreeBSD 9.0), and describe how a policy weaver for an arbitrary privilege-aware system can be constructed automatically by providing a declarative model of the system to a policy-weaver generator.