Abstract

Abstract: The Principle of Least Privilege suggests that software should be executed with no more authority than it requires to accomplish its task. Current security tools make it difficult to apply this principle: they either require significant modifications to applications or do not facilitate reasoning about combining untrustworthy components. We propose Shill, a secure shell scripting language. Shill scripts enable compositional reasoning about security through declarative security policies that limit the effects of script execution, including the effects of programs invoked by the script. These security policies are a form of documentation for consumers of Shill scripts, and are enforced by the Shill execution environment. We have implemented a prototype of Shill for FreeBSD. Our evaluation indicates that Shill is a practical and useful system security tool, and can provide fine-grained security guarantees.

Bio: Scott Moore is a PhD student in the Programming Languages group at Harvard University. Currently, he is working with Stephen Chong on improving the security of commodity operating systems. In general, he is interested in programming language techniques and formal methods that help programmers write safe, correct, and understandable software.