The goal of this project is to provide protection against exploits through untrusted third-party software components and against malicious application manipulation. These problems constitute an important class of vulnerabilities in current software, and are tied to a common denominator -- the lack of ability to divide a program and the data manipulated by it in a fine-grained manner and to control the interactions between the resulting constituents.
This project proposes practical fine-grained ``least privilege'' enforcement through a computation model where the heap can be divided into a dynamic number of memory domains. Security contexts --- called secure memory views (SMVs) --- can be defined that map privileges of code executing within them onto memory domains. Threads are allowed to dynamically switch their set of privileges (i.e., switch which SMVs they are bound to) in a secure and controlled fashion, termed security context switching. These ideas are realized through three core contributions. (1) A programming model is devised to allow the application programmer to easily apply the proposed techniques, while also providing enough structure to reason about the resulting properties and to secure these. (2) The new concepts are reified within a modern mainstream programming language through development of a compiler supporting the language extensions, as well as modifications of the language runtime. (3) An efficient implementation of security context switching is proposed, involving both the language runtime and the operating system kernel itself. To validate the research, a popular web browser as well as a web server are enhanced to use SMVs. By using widely employed open-source software for implementing and validating the proposed support our concepts become available to a large community for use as well as further research and development.
