Computerized Isolation and Little Privilege in Net Assistances
In many client-facing applications, a vulnerability in any part can compromise the entire application.
This paper describes the design and implementation of Passes, a system that protects a data store from
unintended data leaks and unauthorized writes even in the face of application compromise. Passes automatically
splits applications into sandboxed processes. Passes limits communication between those components and the
types of accesses each component can make to shared storage, such as a backend database. In order to limit
components to their little privilege, Passes uses dynamic analysis on developer-supplied end-to-end test cases to
learn data and control-flow relationships between database queries and previous query results, and it then
strongly enforces those relationships.Our prototype of Passes acts as a drop in replacement for the net
framework. By running eleven unmodified, off-the-shelf applications in Passes, we demonstrate its ability to
provide strong security guarantees—Passes correctly enforced 96% of the applications’ policies—with little
additional overhead. Addtionally, in the net-specific setting of the prototype, we also mitigate the crosscomponent
effects of cross-site scripting (XSS) attacks by combining browser HTML5 sandboxing techniques
with our automatic component separation.
Keywords- security policy inference; isolation; capabilities; principle of little privilege; net security