The members of her committee are: Michael Freedman (adviser), Readers: Amit Levy and Mic Bowman (Intel Labs); Examiners: Wyatt Lloyd and Prateek Mittal (ELE)
A copy of her thesis is available upon request.
Everyone is invited to attend her talk. The abstract follows below:
Third-party libraries reduce software development costs and e↵ort. Designed for flexible
reuse, libraries implement a small set of features, allowing developers to build applications
by combining libraries that provide the desired functionality. However, third-party code also
poses a great risk: because the source code is rarely inspected or even accessible by the
application developer, bugs or vulnerabilities that can leak sensitive data may go unnoticed.
Yet, existing data protection tools are insucient because they do not enforce least
privilege, restricting each library’s access to only those data it needs for its functionality.
Prior academic proposals have addressed this issue with two main approaches: (1) running
application components in separate processes for strong isolation, or (2) tracking individual
data objects throughout the application to prevent unprivileged components from disclosing
sensitive information. However, these approaches see limited real-world adoption because
they introduce significant development overhead and integration complexity.
This dissertation proposes intra-process least privilege, a design principle that facilitates enforcing least privilege for application developers by restricting access at the granularity of individual library functions, and strongly isolating data within a single process
address space.
We first present Pyronia, a privilege separation system for language runtimes that targets
IoT device applications. To protect sensitive OS resources, Pyronia combines three access
control techniques: system call interposition, stack inspection, and page table replication.
Developers then specify data access rules only for directly imported third- party functions
in a central policy.
We next present Grin, a memory access control system for Intel SGX cloud applications.
Intel SGX enables developers to run sensitive code inside an enclave, a hardware-protected
memory region within an applications address space. However, in practice, developers often
include untrusted third-party libraries in the enclave, giving them unfettered access to all inenclave data. Grin leverages Memory Protection Keys (MPK) to partition an enclave and
assign per-compartment access rules. Developers declare sensitive data objects and access
privileges for in-enclave functions. Grin then automatically confines these data objects in
MPK compartments.
Pyronia and Grin demonstrate the e↵ectiveness of our intra-process least privilege approach in today’s privacy-critical applications while easing integration e↵orts for developers