A5: Preventing Privilege Escalation

The Principle of Least Privilege is one of the fundamental building blocks for security in modern computing systems. We talked about enforcing this principle by minimizing the execution of a program exposed to powerful privileges. In our lecture, we assume that all code run in the same process. Provos et. al. proposed an approach named privilege separation, which also aims to reduce the use of privileges but uses a different strategy.

Read this paper: Preventing Privilege Escalation, and answer the questions below. Answer the questions in your own words, even if the answers can be found directly in the paper.

Questions

1. (4 points) Summarize this paper in 4 to 8 sentences.
2. (1 points) What is the least privilege principle?
3. (2 points) Why does privilege separation improve the security of programs?
4. (1 point) Why cannot a slave process create new files in its own directories?
5. (1 point) What potential attacks does the restriction in question 4 prevent?
6. (1 point) What is the mechanism used by this work for inter-process communication?
7. (4 points) How to change the identity of a slave process? Describe the key steps; there is no need to cover every single detail.
8. (1 point) Why is the interface between the monitor and the slave process is important for security?

What you need to submit

Submit your work through Blackboard. The deadline is November 12th by midnight. The submission should be a PDF file that contains the answers to the questions.