Towards Practical Application-level Support for Privilege Separation.

Privilege separation (privsep) is an effective technique for improving software's security, but privsep involves decomposing software into components and assigning them different privileges. This is often laborious and error-prone. This paper contributes the following for applying privsep to C software: (1) a portable, lightweight, and distributed runtime library that abstracts externally-enforced compartment isolation; (2) an abstract compartmentalization model of software for reasoning about privsep; and (3) a privsep-aware Clang-based tool for code analysis and semi-automatic software transformation to use the runtime library. The evaluation spans 19 compartmentalizations of third-party software and examines: Security: 4 CVEs in widely-used software were rendered unexploitable; Approximate Effort Saving: on average, the synthesisto-annotation code ratio was greater than 11.9 (i.e., 10x lines of code were generated for each annotation); and Overhead: executiontime overhead was less than 2%, and memory overhead was linear in the number of compartments.