Transforming Code to Drop Dead Privileges

To help programmers write programs that follow Saltzer and Schroeder's Principle of Least Privilege, modern operating systems divide the power of the administrative user into separate privileges which applications can enable on demand and permanently discard when no longer needed. However, using such privileges requires tedious temporal reasoning of program behavior. This paper describes a compiler, named AutoPriv, that helps programmers use privileges more easily. AutoPriv uses whole-program analysis during link-time optimization to determine where programs use privileges; it then transforms programs to remove unnecessary privileges during their execution. We tested AutoPriv on several privileged open-source programs that typically run as root. Our results show that AutoPriv increases optimization time by 19% on average but that transformed programs exhibit practically no overhead.