Marcela Melara will present her FPO, " Intra-Process Least Privilege and Isolation for Emerging Applications" on Thursday, 9/12/2019 at 1:30pm in CS 402. The members of her committee are: Michael Freedman (adviser), Readers: Amit Levy and Mic Bowman (Intel Labs); Examiners: Wyatt Lloyd and Prateek Mittal (ELE) A copy of her thesis is available upon request. Everyone is invited to attend her talk. The abstract follows below: Third-party libraries reduce software development costs and e↵ort. Designed for flexible reuse, libraries implement a small set of features, allowing developers to build applications by combining libraries that provide the desired functionality. However, third-party code also poses a great risk: because the source code is rarely inspected or even accessible by the application developer, bugs or vulnerabilities that can leak sensitive data may go unnoticed. Yet, existing data protection tools are insucient because they do not enforce least privilege, restricting each library’s access to only those data it needs for its functionality. Prior academic proposals have addressed this issue with two main approaches: (1) running application components in separate processes for strong isolation, or (2) tracking individual data objects throughout the application to prevent unprivileged components from disclosing sensitive information. However, these approaches see limited real-world adoption because they introduce significant development overhead and integration complexity. This dissertation proposes intra-process least privilege, a design principle that facilitates enforcing least privilege for application developers by restricting access at the granularity of individual library functions, and strongly isolating data within a single process address space. We first present Pyronia, a privilege separation system for language runtimes that targets IoT device applications. To protect sensitive OS resources, Pyronia combines three access control techniques: system call interposition, stack inspection, and page table replication. Developers then specify data access rules only for directly imported third- party functions in a central policy. We next present Grin, a memory access control system for Intel SGX cloud applications. Intel SGX enables developers to run sensitive code inside an enclave, a hardware-protected memory region within an applications address space. However, in practice, developers often include untrusted third-party libraries in the enclave, giving them unfettered access to all inenclave data. Grin leverages Memory Protection Keys (MPK) to partition an enclave and assign per-compartment access rules. Developers declare sensitive data objects and access privileges for in-enclave functions. Grin then automatically confines these data objects in MPK compartments. Pyronia and Grin demonstrate the e↵ectiveness of our intra-process least privilege approach in today’s privacy-critical applications while easing integration e↵orts for developers