Automatically partition software into least privilege components using dynamic data dependency analysis

Author

Yongzheng WU
Jun SUN, Singapore Management UniversityFollow
Yang LIU
Jin Song DONG

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

11-2013

Abstract

The principle of least privilege requires that software components should be granted only necessary privileges, so that compromising one component does not lead to compromising others. However, writing privilege separated software is difficult and as a result, a large number of software is monolithic, i.e., it runs as a whole without separation. Manually rewriting monolithic software into privilege separated software requires significant effort and can be error prone. We propose ProgramCutter, a novel approach to automatically partitioning monolithic software using dynamic data dependency analysis. ProgramCutter works by constructing a data dependency graph whose nodes are functions and edges are data dependencies between functions. The graph is then partitioned into subgraphs where each subgraph represents a least privilege component. The privilege separated software runs each component in a separated process with confined system privileges. We evaluate it by applying it on four open source software. We can reduce the privileged part of the program from 100% to below 22%, while having a reasonable execution time overhead. Since ProgramCutter does not require any expert knowledge of the software, it not only can be used by its developers for software refactoring, but also by end users or system administrators. Our contributions are threefold: (i) we define a quantitative measure of the security and performance of privilege separation; (ii) we propose a graph-based approach to compute the optimal separation based on dynamic information flow analysis; and (iii) the separation process is automatic and does not require expert knowledge of the software.

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Proceedings of the 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE), Silicon Valley, USA, November 11-15

First Page

323

Last Page

333

ISBN

9781479902156

Identifier

10.1109/ASE.2013.6693091

Publisher

IEEE

City or Country

Silicon Valley, USA

Citation

WU, Yongzheng; SUN, Jun; LIU, Yang; and DONG, Jin Song. Automatically partition software into least privilege components using dynamic data dependency analysis. (2013). Proceedings of the 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE), Silicon Valley, USA, November 11-15. 323-333.
Available at: https://ink.library.smu.edu.sg/sis_research/5006

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/ASE.2013.6693091