μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts.
Nicholas Roessler, Lucas Atayde, Imani Palmer, Derrick McKee, Jai Pandey, Vasileios P. Kemerlis, Mathias Payer, Adam Bates, André DeHon, Jonthan M. Smith, and Nathan Dauhtenhahn.
Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses,
pp. 296--311, October, 2021.
By prioritizing simplicity and portability, least-privilege engineering has been an afterthought in OS design, resulting in monolithic kernels where any exploit leads to total compromise. μSCOPE ("microscope") addresses this problem by automatically identifying opportunities for least-privilege separation. μSCOPE replaces expert-driven, semi-automated analysis with a general methodology for exploring a continuum of security vs. performance design points by adopting a quantitative and systematic approach to privilege analysis. We apply the μSCOPE methodology to the Linux kernel by (1) instrumenting the entire kernel to gain comprehensive, fine-grained memory access and call activity; (2) mapping these accesses to semantic information; and (3) conducting separability analysis on the kernel using both quantitative privilege and over-head metrics. We discover opportunities for orders of magnitude privilege reduction while predicting relatively low overheads---at 15% mediation overhead, overprivilege in Linux can be reduced up to 99.8%---suggesting fine-grained privilege separation is feasible and laying the groundwork for accelerating real privilege separation.
held by authors. Publication rights licensed to ACM.
This is the author's version of the work. It is posted here for your
Not for redistribution. The definitive version was published in the Proceedings of the
International Symposium on Research in Attacks, Intrusions and Defenses,