Pyronia: Redesigning Least Privilege and Isolation for the Age of IoT
Third-party modules play a critical role in IoT applications, which generate and analyze highly privacy-sensitive data. Unlike traditional desktop and server settings, IoT devices are mostly single-purpose running a dedicated, single application. As a result, vulnerabilities in third-party libraries within a process pose a much bigger threat than on traditional platforms. Yet the only practical data protection mechanisms available today for IoT developers are ad-hoc tools that are not designed to prevent data leaks from malicious or vulnerable third-party code imported into an application. We present Pyronia, a privilege separation system for IoT applications written in high-level languages. Pyronia exploits developers' coarse-grained expectations about how imported third-party code operates to restrict access to files and devices, specific network destinations, and even in-memory data objects, at the level of individual library functions. To efficiently protect data as it flows through the application, Pyronia combines three access control techniques: system call interposition, call stack inspection, and memory protection domains. This design obviates the need for prior unintuitive or error-prone data flow analysis or application re-architecting, while enforcing the developer's access policy at run time. Our Pyronia prototype implementation for Python runs on a custom Linux kernel, and incurs low performance overhead on completely unmodified Python applications.
READ FULL TEXT