The Pitchfork project develops a toolchain to implement the privilege separation ("privsep") technique for software security. This page links to articles and code that describe the design of that toolchain and its application to several examples of third-party software. Privsep involves organizing software into mutually-dependent but differently-trusted compartments. Compartments can be secured separately and even executed in different containers/VMs/machines.
Pitchfork and libcompart
Privilege separation (privsep) is an effective technique for improving software's security, but privsep involves decomposing software into components and assigning them different privileges. This is often laborious and error-prone. This paper contributes the following for applying privsep to C software: (1) libcompart: a portable, lightweight, and distributed runtime library that abstracts externally-enforced compartment isolation; (2) an abstract compartmentalization model of software for reasoning about privsep; and (3) Pitchfork: a privsep-aware Clang-based tool for code analysis and semi-automatic software transformation to use the runtime library.
Presented at ACSAC 2022:Paper Code
Compartmentalized software presents unique challenges to debugging because of the tension between usability, debuggability, security, and distributed systems. Compartment-Aware Debugging has been explored in 2 projects: a paper by Henry Zhu at APDCM and a poster by Junyong Zhao, and to which Henry Zhu contributed, at ACSAC.
Presented at APDCM 2020:Paper Video
Follow-up work presented at ACSAC 2020:Video Poster
Systems we use daily make limited use of compartmentalization because of the engineering difficulty imposed by the compartmentalization process. We wanted to create a state-of-the-art example of a fine-grained compartmentalization of cURL, a third-party, long-standing and very widely-used system, without compromizing its performance, usability and security. This was explored in Stephen Carrasquillo's project, assisted in part by Junyong Zhao and Henry Zhu.
Presented at ACSAC 2020:Video Poster
DARPA GAPS CLOSURE
This project also contributed to the CLOSURE system for developing and running more secure software
Saket prototyped a custom low-overhead RPC generator:Saket's Demo
Andrew Zhao extended Saket's work to prototype performance optimizations:Andrew's Demo
This work drove the idea described in our "IPC Evolution" paper below.
Presented at DAI-SNAC 2021:
C-Saw is an approach to express a software's architecture using a new embedded domain-specific language (EDSL) designed for that purpose. It decouples application-specific logic from architecture, making it easier to identify architectural details of software. C-Saw leverages three ideas: (i) introducing a new, formally-specified EDSL to separate an application’s architecture description from its programming language; (ii) reducing architecture implementation to the definition and management of distributed key-value tables, and (iii) introducing an expressive state-management abstraction for distributed applications.
To be presented at APDCM 2023:Paper Code Eval Tech. Rep.