Developers of large-scale software systems may use third-party modules to
reduce costs and accelerate release cycles, at some risk to safety
and security. BREAKAPP exploits module boundaries to automate
compartmentalization of sys- tems and enforce security policies,
enhancing reliability and security. BREAKAPP transparently spawns
modules in protected compartments while preserving their original
behavior. Optional high-level policies decouple security
assumptions made during development from requirements imposed for
module composition and use. These policies allow fine-tuning
trade-offs such as security and performance based on changing
threat models or load patterns. Evaluation of BREAKAPP with a
prototype implementation for JavaScript demonstrates feasibility by
en- abling simplified security hardening of existing systems with
low performance overhead.
|
