The principles for building secure computer systems have been known for decades. Yet violating them---by assuming elevated privilege, for example---makes application development so much easier on conventional operating systems that it's doubtful the principles will ever be broadly followed there. This research program investigates a new operating system design, Asbestos, that allows applications to be completely secured by third parties, such as system administrators, without help from application authors themselves. The fundamental Asbestos security primitive is interposition, whereby programs can easily interpose upon, monitor, and control any or all interactions between an application and the rest of the system. Unlike previous systems, this includes interactions with other applications as well as system services. Interposers correspond to security policies, or per-application firewalls. They can block or virtualize undesired accesses, so that legacy applications that demand inappropriately high privilege can run in a less-privileged setting. Design challenges include making system interactions easy for interposers to understand, and developing a convenient library of security policies built from interposition components. A successful Asbestos design has the potential to significantly improve the security of critical systems, even those running insecure applications. Source code will be released publicly under an open-source license.
