Improving Least Privilege in Software Architecture by Guided Automated Compartmentalization

Koen Buyens, Bart De Win, Wouter Joosen

Abstract

Security principles, like least privilege, are among the resources in the body of knowledge for security that survived the test of time. Support for these principles at architectural level is limited, as there are no systematic rules on how to apply the principle in practice. As a result, these principles are often neglected since it requires a lot of effort to apply them consistently. This paper addresses this gap for the principle of least privilege in software architecture by elicitating architectural transformations that positively impact the least properties of the architecture, while preserving the semantics thereof.

References

  1. A. Acharya and M. Raje. Mapbox: Using parameterized behavior classes to confine applications. Technical report, Santa Barbara, CA, USA, 1999.
  2. Daniel Julius Bernstein. Qmail home page.
  3. David Brumley and Dawn Song. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the 13th USENIX Security Symposium, August 2004.
  4. Chris Evans. Comments on the Overall Architecture of Vsftpd, from a Security Standpoint. Internet, February 2001.
  5. Thuong Doan, Steven Demurjian, T. C. Ting, and Andreas Ketterl. Mac and uml for secure software design. In FMSE 7804: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 75-85, New York, NY, USA, 2004. ACM.
  6. J. Jürjens. Secure Systems Development with UML. March 2004. To be published.
  7. Douglas Kilpatrick. Privman: A library for partitioning applications. In USENIX Annual Technical Conference, FREENIX Track, pages 273-284, 2003.
  8. Dimitri Van Landuyt, Johan Grégoire, Sam Michiels, Eddy Truyen, and Wouter Joosen. Architectural design of a digital publishing system. Technical report, October 2006.
  9. Niels Provo. Systrace - interactive policy generation for system calls.
  10. Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, September 1975.
  11. Wietse Zweitze Venema. Postfix home page.
  12. David A. Wagner. Janus: an approach for confinement of untrusted applications. Technical Report CSD-99-1056, 12, 1999.
Download


Paper Citation


in Harvard Style

Buyens K., De Win B. and Joosen W. (2008). Improving Least Privilege in Software Architecture by Guided Automated Compartmentalization . In Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008) ISBN 978-989-8111-44-9, pages 145-150. DOI: 10.5220/0001741501450150


in Bibtex Style

@conference{wosis08,
author={Koen Buyens and Bart De Win and Wouter Joosen},
title={Improving Least Privilege in Software Architecture by Guided Automated Compartmentalization},
booktitle={Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)},
year={2008},
pages={145-150},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001741501450150},
isbn={978-989-8111-44-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)
TI - Improving Least Privilege in Software Architecture by Guided Automated Compartmentalization
SN - 978-989-8111-44-9
AU - Buyens K.
AU - De Win B.
AU - Joosen W.
PY - 2008
SP - 145
EP - 150
DO - 10.5220/0001741501450150