This is an idea proposed in 2021 as a Cambrige Computer Science Part III or MPhil project, and has been completed by Jake Hillion. It was supervised by Anil Madhavapeddy as part of my Information Flow for Trusted Execution project.

Summary

The Part III project has two primary goals:

• show the merits of starting from zero privilege when spawning new processes
• provide the utilities to make this feasible for the average developer.

Building void processes involves first reliably removing all privilege from a process then systematically adding back in what is required, and no more. This project utilises Linux namespaces to revoke privilege from an application, showing how this can be done and why its easier in some domains than others. It then shows how to inject sufficient privilege for applications to perform useful work, developing new APIs that are friendly for privilege separation. These elements compose a shim called the "void orchestrator", a framework for restricting Linux processes.

Links

• The dissertation is available as a PDF, with associated blog post and LaTeX source.
• The source code to the void orchestrator prototype is at jakehillion/void-orchestrator.

Related Ideas

• Decentralised Capability-based Code Collaboration using Matrix
  by Samuel Wedgwood in 2022 (Completed, Part II)
• Secure Programming with Dispersed Compartments
  by Zahra Tarkhani in 2022 (Completed, PhD)
• Security analysis of brain-computing interfaces
  by Malachy O'Connor Brown and Oscar Hill cosupervised with Zahra Tarkhani and Lorena Qendro in 2021 (Completed)