DATE: Thursday, October 21, 2004
TIME: Noon - 1 pm
PLACE: Wean Hall 8220

David Brumley

Privtrans: Automatically Partitioning Programs for Privilege Separation

Privileged programs, such as system daemons, setuid programs, and system maintenance programs, are the most common targets attacked by intruders, viruses, and worms. Since most privileged programs are written in C -- an unsafe language -- an intruder can elevate their privileges by exploiting a bug anywhere in the privileged program -- even those operations that don't require privileges.

Privilege separation partitions a single program into two protection domains: a privileged monitor and an unprivileged slave. The slave and monitor cooperate to behave as the original program. All trust and privileges are relegated to the monitor, which results in a smaller and more easily secured trust base. Previously the privilege separation process, i.e., partitioning one program into the monitor and slave, was done by hand which is time-consuming and error-prone.

We have designed and developed the first automatic approach for privilege separation. We use static analysis and C-to-C translation to separate the original program into the monitor and slave. We also
combine static analysis and dynamic checks for better precision and performance. Our approach uses the strongest model of privilege separation, allows for fine-grained policies to be implemented in the monitor, and allows us to track and re-incorporate privilege separation as source code evolves. We have successfully incorporated privilege separation into several open source programs, including OpenSSH, which had previously been separated by hand.

In this talk I will describe our techniques and our implementation, called Privtrans. I will also discuss our results in automatically partitioning programs. This is joint work with Dawn Song. The paper has appeared in USENIX Security Symposium, August 2004. This talk is in partial fulfillment of the speaking requirement.

David Brumley is a second year PhD student. Before coming to CMU, he received a masters from Stanford. He is interested in all aspects of computer security.

For Further Seminar Info Contact:
or visit