Abstract

By prioritizing simplicity and portability, least-privilege engineering has been an afterthought in OS design, resulting in monolithic kernels where any exploit leads to total compromise. muSCOPE (“microscope”) addresses this problem by automatically identifying opportunities for least-privilege separation. muSCOPE replaces expert-driven, semi-automated analysis with a general methodology for exploring a continuum of security vs. performance design points by adopting a quantitative and systematic approach to privilege analysis. We apply the muSCOPE methodology to the Linux kernel by (1) instrumenting the entire kernel to gain comprehensive, fine-grained memory access and call activity; (2) mapping these accesses to semantic information; and (3) conducting separability analysis on the kernel using both quantitative privilege and overhead metrics. We discover opportunities for orders of magnitude privilege reduction while predicting relatively low overheads – at 15% mediation overhead, overprivilege in Linux can be reduced up to 99.8% – suggesting that fine-grained privilege separation is feasible and laying the groundwork for accelerating real system privilege separation.