Protecting User Files by Reducing Application Access

Traditional discretionary access control mechanisms do not differentiate between a user’s running applications–hence they provide no means of preventing one application from exploiting another’s data. Commercial mandatory access control mechanisms such as SELinux and AppArmor aim to protect system files, but do little to prevent similar misuse of user data. This paper presents the PinUP access control overlay. PinUP extends filesystem protections to explicitly identify the set of applications that may access each user’s sensitive files. This reflects users’ intuition about access: that files should only be accessed by the applications that own them. This approach reduces the often esoteric task of access control policy specification to a significantly simpler declaration of the relationship between sensitive user files and applications. In so doing, we reduce the significant gap between existing access control and least privilege frequently exploited by malware such as viruses, worms, and spyware. We describe our model, architecture, and Linux implementation, evaluate run-time costs, and detail use-cases illustrating the power and utility of the augmented policy. Our performance experiments show that all costs are nominal, with a maximum observed delay of 40 milliseconds occurring at application startup and a few tens of microseconds at each access check. In this, we provide an efficient and intuitive means of pushing access controls provided to users ever closer to the ideal of least privilege.