PRIVMUL: PRIVilege separation for Multi-user Logic applications

A. Mambretti

In every computer system, bugs and vulnerabilities have always been cause of many security problems and malfunctioning. The size and the number of people that design and build these systems are growing and with them also the probability that mistakes are accidentally inserted.Privilege escalation is one of the most well known problems correlated with bugs and vulnerabilities where an attacker, exploiting a privileged software, is able to execute functionalities that belong to privilege levels higher than his/her user profile.Several works in this area try to either prevent or defeat privilege escalation in computer systems. Most of them work on the specific privilege separation inside the Operating System (O.S.), trying to avoid that the exploitation of a privileged software brings an attacker to gain administrative privilege level that will allow the attacker to have the machine control. However, a recent work shows that not only operating systems are suitable for privilege escalation but also multi-user logic application could suffer from this issue. It shows how a user could access functionalities of other users’ profiles exploiting the new GEM vulnerabilities class.In this work, I present a new security mechanism that applies privilege separation to multi-user logic application to defeat privilege escalation and data leak. PRIVMUL, the system I present, provides a new mechanism to write or adapt this kind of application. PRIVMUL links the application to the operating system, through new provided APIs, that guarantee the safe execution of every operation.The approach I propose protects the code and data of other profiles from unauthorized access by the current profile that is running the application. To achieve this protection PRIVMUL temporarly removes all the access rights on the memory pages to profiles that are different from the current one. It also aims to protect dynamic data providing a chunk based tracker along with the support of the operating system. PRIVMUL, to be flexible, supports a runtime profile switch through an authentication mechanism.The experimental results show that this approach introduces an acceptable overhead that does not impact the overall usability of the protected application.