Privilege Separation

Separate application into two parts:








Benefits:
Most code runs in unprivileged context.
If an adversary compromises unprivileged child, she does not gain extra privileges.
Privileges only via small well defined interface to parent.
Privileged code base is small -> easier to audit!


Unprivileged Child:
Accepts and processes all network traffic.
Negotiate parameters, etc...

Privileged Parent:
Very small part of the application that executes privileged requests on behalf of the child.
All requests for privileges are checked for validity.