Practical Fine-grained Privilege Separation in Multithreaded Applications

TL;DR

This paper introduces ARBITER, a run-time system that enables fine-grained privilege separation in multithreaded applications, enhancing security without significantly impacting performance.

Contribution

It presents a novel security system with data-centric primitives and OS support for privilege separation in multithreaded environments.

Findings

ARBITER achieves 5.6% average runtime overhead.

Ported memcached with minimal code changes.

Provides effective isolation among principals.

Abstract

An inherent security limitation with the classic multithreaded programming model is that all the threads share the same address space and, therefore, are implicitly assumed to be mutually trusted. This assumption, however, does not take into consideration of many modern multithreaded applications that involve multiple principals which do not fully trust each other. It remains challenging to retrofit the classic multithreaded programming model so that the security and privilege separation in multi-principal applications can be resolved. This paper proposes ARBITER, a run-time system and a set of security primitives, aimed at fine-grained and data-centric privilege separation in multithreaded applications. While enforcing effective isolation among principals, ARBITER still allows flexible sharing and communication between threads so that the multithreaded programming paradigm can be preserved. To realize controlled sharing in a fine-grained manner, we created a novel abstraction named ARBITER Secure Memory Segment (ASMS) and corresponding OS support. Programmers express security policies by labeling data and principals via ARBITER's API following a unified model. We ported a widely-used, in-memory database application (memcached) to ARBITER system, changing only around 100 LOC. Experiments indicate that only an average runtime overhead of 5.6% is induced to this security enhanced version of application.