Application-Defined Decentralized Access Control Yuanzhong Xu Alan M. Dunn Owen S. Hofmann * Michael Z. Lee Syed Akbar Mehdi Emmett Witchel The University of Texas at Austin Google, Inc. * Abstract DCAC is a practical OS-level access control system that supports application-defined principals. It allows normal users to perform administrative operations within their privilege, enabling isolation and privilege separation for applications. It does not require centralized policy spec- ification or management, giving applications freedom to manage their principals while the policies are still en- forced by the OS. DCAC uses hierarchically-named at- tributes as a generic framework for user-defined policies such as groups defined by normal users. For both local and networked file systems, its execution time overhead is between 0%–9% on file system microbenchmarks, and under 1% on applications. This paper shows the design and implementation of DCAC, as well as several real-world use cases, includ- ing sandboxing applications, enforcing server applica- tions’ security policies, supporting NFS, and authenticat- ing user-defined sub-principals in SSH, all with minimal code changes. 1. Introduction Continued high-profile computer security failures and data breaches demonstrate that computer security for ap- plications is abysmal. While there is extensive research into novel security and access control models little of this work has an impact on practice. Instead of appli- cations consistently reimplementing security vulnerabili- ties, they need a practical and expressive way to use thor- oughly debugged system-level primitives to achieve best security practices. DCAC (DeCentralized Access Control) is our attempt to make modern security mechanisms practical for ac- cess control. It has three distinguishing characteristics: it is decentralized in privilege, decentralized in policy spec- ification, and allows application-defined principals and synchronization requirements. Although DCAC greatly increases the flexibility of access control, it retains a familiar model of operation, with per-process metadata checked against per-object ACLs to determine the al- lowed access. It relies on the standard OS infrastructure of a hierarchical file namespace, extended file attributes, and file descriptors. It is practical for distributed envi- ronments because it avoids requiring centralized storage, consistency, or management. * Work completed while at the University of Texas at Austin. Decentralized privilege. In Linux and Windows, users and groups are principals, and can be assigned privileges. A user might consider creating another user (a “sub- principal”) and assigning it a subset of her privileges. This allows an application to run as the sub-principal, and thus with restricted privileges compared to the case where the user directly runs the application. However, on Linux and Windows, administrative functions on users and groups require root privilege. As a result, current OS- level access control does not allow many applications to run with least privilege. DCAC decentralizes administrator privilege: a nor- mal user can perform administrative operations within her privilege, like creating principals with subsets of her privilege. Privilege separation makes complex applica- tions more difficult to exploit. But current systems re- quire administrative involvement to install and deploy privilege-separated software. For example, the suEXEC feature of Apache HTTP Server allows it to run CGI and SSI programs under UIDs different from the UID of the calling web server, by using setuid binaries. However, creating UIDs for CGI/SSI programs and setting up the setuid binaries requires administrator privilege. Not only can use of administra- tive privilege require human involvement, it also adds op- portunities for configuration mistakes that can actually harm security. The suEXEC documentation 1 warns the user, “if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer’s security. If you aren’t familiar with managing setuid root programs and the security issues they present, we highly recommend that you not con- sider using suEXEC.” By contrast, DCAC allows forms of privilege separation, like delegating user privileges to sub-principals, that even in the case of a configuration mistake, limit the effect of a compromise to the privi- leges of the original user. Decentralized policy specification. OS-level access control typically defines its principals and policies in a centralized, secure location, such as the /etc/group file, the policy.conf file in SELinux, or a central pol- icy server (e.g., a Lightweight Directory Access Protocol (LDAP) server). DCAC decentralizes policy specifica- tion: policies are stored in files and file metadata at arbi- trary locations. DCAC generalizes the setuid mecha- nism of Unix, allowing processes to use the file system 1 http://httpd.apache.org/docs/2.4/suexec.html