Program-mandering
| Autor: | Yongzhe Huang, Frank Capobianco, Trent Jaeger, Shen Liu, Stephen McCamant, Gang Tan, Dongrui Zeng |
|---|---|
| Rok vydání: | 2019 |
| Předmět: |
Computer science
Distributed computing 020207 software engineering 02 engineering and technology Partition (database) Toolchain Set (abstract data type) Software security assurance 020204 information systems Privilege separation Metric (mathematics) 0202 electrical engineering electronic engineering information engineering Information flow (information theory) Declassification |
| Zdroj: | CCS |
| Popis: | Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. It can automatically find the optimal boundary in program partitioning. This is achieved by solving an integer-programming model that optimizes for a user-chosen metric while satisfying the remaining security and performance constraints on other metrics. We choose security metrics to reason about how well computed partitions enforce information flow control to: (1) protect the program from low-integrity inputs or (2) prevent leakage of program secrets. As a result, functions in the sensitive module that fall on the optimal partition boundaries automatically identify where declassification is necessary. We used PM to experiment on a set of real-world programs to protect confidentiality and integrity; results show that, with moderate user guidance, PM can find partitions that have better balance between security and performance than partitions found by a previous tool that requires manual declassification. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|