|dc.description.abstract||New operating systems, such as the Capsicum capability system, allow a programmer to write an application that satisfies strong security properties by invoking security- specific system calls at a few key points in the program. However, rewriting an application to invoke such system calls correctly is an error-prone process: even the Capsicum developers have reported difficulties in rewriting programs to correctly invoke system calls.
This paper describes capweave, a tool that takes as input (i) an LLVM program, and (ii) declarative specifications of the possibly-changing capabilities that a program must hold during its execution, and rewrites the program to use Capsicum system calls to enforce the policies. Our experiments demonstrate that capweave can be applied to rewrite security-critical UNIX utilities to satisfy practical security properties. capweave itself works quickly, and the amount of runtime overhead incurred in the programs that capweave produces is generally low for practical workloads.||en