TY - GEN
T1 - Shill
T2 - 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2014
AU - Moore, Scott
AU - Dimoulas, Christos
AU - King, Dan
AU - Chong, Stephen
N1 - Funding Information:
We thank Dan Bradley for his contributions to an early version of this work, and Jennifer Kirk for her help with statistical analysis. We are grateful to Leif Andersen, Vincent St-Amour, and Matthias Felleisen for their help profiling SHILL code. We thank Eddie Kohler, the Programming Languages Group at Harvard, and the reviewers for their helpful comments. Many thanks to Frans Kaashoek for his thoughtful shepherding. This research is supported by the Air Force Research Laboratory.
Publisher Copyright:
© 2014 by The USENIX Association. All Rights Reserved.
PY - 2014/1/1
Y1 - 2014/1/1
N2 - The Principle of Least Privilege suggests that software should be executed with no more authority than it requires to accomplish its task. Current security tools make it difficult to apply this principle: they either require significant modifications to applications or do not facilitate reasoning about combining untrustworthy components. We propose SHILL, a secure shell scripting language. SHILL scripts enable compositional reasoning about security through contracts that limit the effects of script execution, including the effects of programs invoked by the script. SHILL contracts are declarative security policies that act as documentation for consumers of SHILL scripts, and are enforced through a combination of language design and sandboxing. We have implemented a prototype of SHILL for FreeBSD and used it for several case studies including a grading script and a script to download, compile, and install software. Our experience indicates that SHILL is a practical and useful system security tool, and can provide fine-grained security guarantees.
AB - The Principle of Least Privilege suggests that software should be executed with no more authority than it requires to accomplish its task. Current security tools make it difficult to apply this principle: they either require significant modifications to applications or do not facilitate reasoning about combining untrustworthy components. We propose SHILL, a secure shell scripting language. SHILL scripts enable compositional reasoning about security through contracts that limit the effects of script execution, including the effects of programs invoked by the script. SHILL contracts are declarative security policies that act as documentation for consumers of SHILL scripts, and are enforced through a combination of language design and sandboxing. We have implemented a prototype of SHILL for FreeBSD and used it for several case studies including a grading script and a script to download, compile, and install software. Our experience indicates that SHILL is a practical and useful system security tool, and can provide fine-grained security guarantees.
UR - http://www.scopus.com/inward/record.url?scp=85012280948&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85012280948&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85012280948
T3 - Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2014
SP - 183
EP - 199
BT - Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2014
PB - USENIX Association
Y2 - 6 October 2014 through 8 October 2014
ER -