The consequences of security breaches due to system administrator errors can be
catastrophic. Software systems in general, and OSes in particular, ultimately
depend on a fully trusted administrator whom is granted superuser privileges
that allow him to fully control the system. Consequently, an administrator
acting negligently or unethically can easily compromise user data in
irreversible ways by leaking, modifying, or deleting data. In this paper we
propose a new set of guiding principles for OS design that we call the broker
security model. Our model aims to increase OS security without hindering
manageability. This is achieved by a two-step process that (1) restricts
administrator privileges to preclude inspection and modification of user data,
and (2) allows for management tasks that are mediated by a layer of trusted
programs—brokers—interposed between the management interface and
system objects. We demonstrate the viability of this approach by building
BrokULOS, a Linux-based OS that suppresses superuser privileges and exposes a
narrow management interface consisting of a set of tailor-made brokers. Our
evaluation shows that our modifications to Linux add negligible overhead to
applications while preserving system manageability.