μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts

Nick Roessler; Lucas Atayde; Imani Palmer; Derrick McKee; Jai Pandey; Vasileios P. Kemerlis; Mathias Payer; Adam Bates; Jonathan M. Smith; Andre Dehon; Nathan Dautenhahn

doi:10.1145/3471621.3471839

μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts

Nick Roessler, Lucas Atayde, Imani Palmer, Derrick McKee, Jai Pandey, Vasileios P. Kemerlis, Mathias Payer, Adam Bates, Jonathan M. Smith, Andre Dehon, Nathan Dautenhahn

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

By prioritizing simplicity and portability, least-privilege engineering has been an afterthought in OS design, resulting in monolithic kernels where any exploit leads to total compromise. μSCOPE ("microscope") addresses this problem by automatically identifying opportunities for least-privilege separation. μSCOPE replaces expert-driven, semi-automated analysis with a general methodology for exploring a continuum of security vs. performance design points by adopting a quantitative and systematic approach to privilege analysis. We apply the μSCOPE methodology to the Linux kernel by (1) instrumenting the entire kernel to gain comprehensive, fine-grained memory access and call activity; (2) mapping these accesses to semantic information; and (3) conducting separability analysis on the kernel using both quantitative privilege and overhead metrics. We discover opportunities for orders of magnitude privilege reduction while predicting relatively low overheads - at 15% mediation overhead, overprivilege in Linux can be reduced up to 99.8% - suggesting fine-grained privilege separation is feasible and laying the groundwork for accelerating real privilege separation.

Original language	English (US)
Title of host publication	Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
Publisher	Association for Computing Machinery
Pages	296-311
Number of pages	16
ISBN (Electronic)	9781450390583
DOIs	https://doi.org/10.1145/3471621.3471839
State	Published - Oct 6 2021
Externally published	Yes
Event	24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021 - Virtual, Online, Spain Duration: Oct 6 2021 → Oct 8 2021

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
Country/Territory	Spain
City	Virtual, Online
Period	10/6/21 → 10/8/21

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Online availability

10.1145/3471621.3471839

Library availability

Discover UIUC Full Text

Cite this

Roessler, N., Atayde, L., Palmer, I., McKee, D., Pandey, J., Kemerlis, V. P., Payer, M., Bates, A., Smith, J. M., Dehon, A., & Dautenhahn, N. (2021). μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts. In Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021 (pp. 296-311). (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3471621.3471839

μsCOPE : A methodology for analyzing least-privilege compartmentalization in large software artifacts. / Roessler, Nick; Atayde, Lucas; Palmer, Imani; McKee, Derrick; Pandey, Jai; Kemerlis, Vasileios P.; Payer, Mathias; Bates, Adam; Smith, Jonathan M.; Dehon, Andre; Dautenhahn, Nathan.

Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021. Association for Computing Machinery, 2021. p. 296-311 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Roessler, N, Atayde, L, Palmer, I, McKee, D, Pandey, J, Kemerlis, VP, Payer, M, Bates, A, Smith, JM, Dehon, A & Dautenhahn, N 2021, μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts. in Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021. ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 296-311, 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021, Virtual, Online, Spain, 10/6/21. https://doi.org/10.1145/3471621.3471839

Roessler N, Atayde L, Palmer I, McKee D, Pandey J, Kemerlis VP et al. μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts. In Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021. Association for Computing Machinery. 2021. p. 296-311. (ACM International Conference Proceeding Series). https://doi.org/10.1145/3471621.3471839

Roessler, Nick ; Atayde, Lucas ; Palmer, Imani ; McKee, Derrick ; Pandey, Jai ; Kemerlis, Vasileios P. ; Payer, Mathias ; Bates, Adam ; Smith, Jonathan M. ; Dehon, Andre ; Dautenhahn, Nathan. / μsCOPE : A methodology for analyzing least-privilege compartmentalization in large software artifacts. Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021. Association for Computing Machinery, 2021. pp. 296-311 (ACM International Conference Proceeding Series).

@inproceedings{8ac5bc40c2124322bc14c237f889dadc,

title = "μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts",

abstract = "By prioritizing simplicity and portability, least-privilege engineering has been an afterthought in OS design, resulting in monolithic kernels where any exploit leads to total compromise. μSCOPE ({"}microscope{"}) addresses this problem by automatically identifying opportunities for least-privilege separation. μSCOPE replaces expert-driven, semi-automated analysis with a general methodology for exploring a continuum of security vs. performance design points by adopting a quantitative and systematic approach to privilege analysis. We apply the μSCOPE methodology to the Linux kernel by (1) instrumenting the entire kernel to gain comprehensive, fine-grained memory access and call activity; (2) mapping these accesses to semantic information; and (3) conducting separability analysis on the kernel using both quantitative privilege and overhead metrics. We discover opportunities for orders of magnitude privilege reduction while predicting relatively low overheads - at 15% mediation overhead, overprivilege in Linux can be reduced up to 99.8% - suggesting fine-grained privilege separation is feasible and laying the groundwork for accelerating real privilege separation.",

author = "Nick Roessler and Lucas Atayde and Imani Palmer and Derrick McKee and Jai Pandey and Kemerlis, {Vasileios P.} and Mathias Payer and Adam Bates and Smith, {Jonathan M.} and Andre Dehon and Nathan Dautenhahn",

note = "Funding Information: This research was funded in part by DARPA contracts HR0011-18-C- 0011 and HR001119S0089-AMP-FP-034; NSF grants CNS-1513687, TWC-1513854, CNS-1801601, CNS-16-57534, CNS-17-50024 and CNS-2008867; ERC StG 850868; and ONR grant BAA N00014-17-SB010. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not reflect the official policy or position of the U.S. Government. Funding Information: This research was funded in part by DARPA contracts HR0011-18-C-0011 and HR001119S0089-AMP-FP-034; NSF grants CNS-1513687, TWC-1513854, CNS-1801601, CNS-16-57534, CNS-17-50024 and CNS-2008867; ERC StG 850868; and ONR grant BAA N00014-17-SB010. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not reflect the official policy or position of the U.S. Government. Publisher Copyright: {\textcopyright} 2021 Owner/Author.; 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021 ; Conference date: 06-10-2021 Through 08-10-2021",

year = "2021",

month = oct,

day = "6",

doi = "10.1145/3471621.3471839",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "296--311",

booktitle = "Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021",

}

TY - GEN

T1 - μsCOPE

T2 - 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021

AU - Roessler, Nick

AU - Atayde, Lucas

AU - Palmer, Imani

AU - McKee, Derrick

AU - Pandey, Jai

AU - Kemerlis, Vasileios P.

AU - Payer, Mathias

AU - Bates, Adam

AU - Smith, Jonathan M.

AU - Dehon, Andre

AU - Dautenhahn, Nathan

N1 - Funding Information: This research was funded in part by DARPA contracts HR0011-18-C- 0011 and HR001119S0089-AMP-FP-034; NSF grants CNS-1513687, TWC-1513854, CNS-1801601, CNS-16-57534, CNS-17-50024 and CNS-2008867; ERC StG 850868; and ONR grant BAA N00014-17-SB010. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not reflect the official policy or position of the U.S. Government. Funding Information: This research was funded in part by DARPA contracts HR0011-18-C-0011 and HR001119S0089-AMP-FP-034; NSF grants CNS-1513687, TWC-1513854, CNS-1801601, CNS-16-57534, CNS-17-50024 and CNS-2008867; ERC StG 850868; and ONR grant BAA N00014-17-SB010. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not reflect the official policy or position of the U.S. Government. Publisher Copyright: © 2021 Owner/Author.

PY - 2021/10/6

Y1 - 2021/10/6

N2 - By prioritizing simplicity and portability, least-privilege engineering has been an afterthought in OS design, resulting in monolithic kernels where any exploit leads to total compromise. μSCOPE ("microscope") addresses this problem by automatically identifying opportunities for least-privilege separation. μSCOPE replaces expert-driven, semi-automated analysis with a general methodology for exploring a continuum of security vs. performance design points by adopting a quantitative and systematic approach to privilege analysis. We apply the μSCOPE methodology to the Linux kernel by (1) instrumenting the entire kernel to gain comprehensive, fine-grained memory access and call activity; (2) mapping these accesses to semantic information; and (3) conducting separability analysis on the kernel using both quantitative privilege and overhead metrics. We discover opportunities for orders of magnitude privilege reduction while predicting relatively low overheads - at 15% mediation overhead, overprivilege in Linux can be reduced up to 99.8% - suggesting fine-grained privilege separation is feasible and laying the groundwork for accelerating real privilege separation.

AB - By prioritizing simplicity and portability, least-privilege engineering has been an afterthought in OS design, resulting in monolithic kernels where any exploit leads to total compromise. μSCOPE ("microscope") addresses this problem by automatically identifying opportunities for least-privilege separation. μSCOPE replaces expert-driven, semi-automated analysis with a general methodology for exploring a continuum of security vs. performance design points by adopting a quantitative and systematic approach to privilege analysis. We apply the μSCOPE methodology to the Linux kernel by (1) instrumenting the entire kernel to gain comprehensive, fine-grained memory access and call activity; (2) mapping these accesses to semantic information; and (3) conducting separability analysis on the kernel using both quantitative privilege and overhead metrics. We discover opportunities for orders of magnitude privilege reduction while predicting relatively low overheads - at 15% mediation overhead, overprivilege in Linux can be reduced up to 99.8% - suggesting fine-grained privilege separation is feasible and laying the groundwork for accelerating real privilege separation.

UR - http://www.scopus.com/inward/record.url?scp=85117682864&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85117682864&partnerID=8YFLogxK

U2 - 10.1145/3471621.3471839

DO - 10.1145/3471621.3471839

M3 - Conference contribution

AN - SCOPUS:85117682864

T3 - ACM International Conference Proceeding Series

SP - 296

EP - 311

BT - Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021

PB - Association for Computing Machinery

Y2 - 6 October 2021 through 8 October 2021

ER -

μsCOPE: A methodology for analyzing least-privilege compartmentalization in large software artifacts

Abstract

Publication series

Conference

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this