Scripting with Least Privilege

The Principle of Least Privilege says that software shouldn't be executed with more authority than it needs to get its job done. Unfortunately, following this principle is hard; most operating systems are configured so that the scripts and programs you run can do anything you can.

Shill is a shell scripting language designed to make it easy to follow the Principle of Least Privilege. Shill uses capabilities to control what access scripts have to your system. Every Shill script comes with a contract that describes what it can do, so users can run third-party scripts with confidence. Using capability-based sandboxes, Shill's security guarantees extend even to native executables launched by scripts.

Getting started

You can find installation instructions in the manual. You can find a number of example scripts in the Shill source distribution.

Shill runs on FreeBSD and is developed in Racket. You can check out the source from GitHub.

Learn More

Shill: A Secure Shell Scripting Language. Scott Moore, Christos Dimoulas, Dan King, and Stephen Chong. 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2014. [BibTeX] [Video]

Coverage in ComputerWorld.

Get Involved

If you would like to work on Shill, please see our list of project ideas, or send us an email at


Shill is developed by Scott Moore, Christos Dimoulas, Dan King, and Stephen Chong. Email us at


This research is supported by the Air Force Research Laboratory.