We introduce a system that eliminates the need to run programs in privileged process contexts. Using our system, programs run unprivileged but may execute certain operations with elevated privileges as determined by a configurable policy eliminating the need for suid or sgid binaries. We present the design and analysis of the "Systrace" facility which supports fine grained process confinement, intrusion detection, auditing and privilege elevation. It also facilitates the often difficult process of policy generation. With Systrace, it is possible to generate policies automatically in a training session or generate them interactively during program execution. The policies describe the desired behavior of services or user applications on a system call level and are enforced to prevent operations that are not explicitly permitted. We show that Systrace is efficient and does not impose significant performance penalties.

Abstract not found

This paper presents a multi-tier model for secure computing as a teaching method platform. The security model is based on establishing the trustworthiness and role of each component in a distributed computing environment: trusted users, trusted servers, trusted administrators, untrusted client, untrusted communication media and intermediate systems, etc. The model provides a basis for teaching and for program system design. The security dimensions (both social and technical) can be considered in computer science curriculum in general. The model as a teaching method was experimented in some senior student software projects.