PinUP

Today's access control mechanisms were designed back in the days of massively shared mainframes when the primary threat to files was other users. The model of computing has changed drastically over the years. We no longer share computing resources; rather, everyone has their own autonomous system (possibly multiple). The primary threat is no longer other users; it is other applications. Every application a user runs has full access (read, write, delete) to all of that user's files. Worse yet, commodity operating systems provide no mechanism for users to reduce file access based on applications.

PinUP Approach

The goal of PinUP is to pin files to specific applications in order to limit a file access to only those trusted applications known to use it. In a way, PinUP provides a reverse sandbox. Traditional sandbox policy defines the files and resources that an application may access. In PinUP, the policy defines the applications that may access a file. This important distinction provides much greater protection in today's systems where unknown applications are installed without user consent.

The PinUP model not only provides better file protection, it also simplifies the way policy is defined and analyzed. Users desire high level policies such as, "Only Quicken should access .qdf files." Implementing this policy in PinUP is straightforward; every .qdf simply needs to have Quicken in it's application access list. Furthermore, making this association is natural, as users already know which applications open their files. Finally, if a user were to ask, "What applications have access to personal.qdf?", the answer is easily derived from the file meta data.

We have implemented the PinUP mechanism as a Linux Security Module (LSM). As such, PinUP acts as an access control overlay. Only after existing user-based access is mediated will the application-based policy be considered. We have also implemented a userspace library and a number of command line policy tools. For example, pinmod provides the PinUP analogy of chmod on UNIX platforms. Finally, while our implementation successfully enforces PinUP policy, many challenges remain. In many cases, policy definition can be automated. Understanding how application workflows can simplify day to day tasks is a focus of current investigations.

Source Code

PinUP Kernel Module

PinUP Userspace Tools

Note: The most recent version of PinUP has undergone significant refactoring. If interested, please email William Enck for a current snapshot.

Related Publications

William Enck, Patrick McDaniel, and Trent Jaeger. PinUP: Pinning User Files to Known Applications. Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC), December 2008. Anaheim, CA.

William Enck, Sandra Rueda, Yogesh Sreenivasan, Joshua Schiffman, Luke St. Clair, Trent Jaeger, and Patrick McDaniel, Protecting Users from "Themselves". Proceedings of the 1st ACM Computer Security Architectures Workshop, November 2007.