research-article

Open access

SysXCHG: Refining Privilege with Adaptive System Call Filters

Authors:

Alexander J. Gaidis,

Vaggelis Atlidakis,

Vasileios P. KemerlisAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 1964 - 1978

https://doi.org/10.1145/3576915.3623137

Published: 21 November 2023 Publication History

Abstract

We present the design, implementation, and evaluation of SysXCHG: a system call (syscall) filtering enforcement mechanism that enables programs to run in accordance with the principle of least privilege. In contrast to the current, hierarchical design of seccomp-BPF, which does not allow a program to run with a different set of allowed syscalls than its descendants, SysXCHG enables applications to run with "tight" syscall filters, uninfluenced by any future-executed (sub-)programs, by allowing filters to be dynamically exchanged at runtime during execve[at]. As a part of SysXCHG, we also present xfilter: a mechanism for fast filtering using a process-specific view of the kernel's syscall table where filtering is performed. In our evaluation of SysXCHG, we found that our filter exchanging design is performant, incurring ≤= 1.71% slowdown on real-world programs in the PaSH benchmark suite, as well as effective, blocking vast amounts of extraneous functionality, including security-critical syscalls, which the current design of seccomp-BPF is unable to.

References

[1]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS). 340--353.

[2]

Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P. Kemerlis, and Georgios Portokalidis. 2019. Nibbler: Debloating Binary Shared Libraries. In Annual Computer Security Applications Conference (ACSAC). 70--83.

Digital Library

[3]

Albert D. Alexandrov, Maximilian Ibel, Klaus E. Schauser, and Chris J. Scheiman. 1998. UFO: A Personal Global File System Based on User-Level Extensions to the Operating System. ACM Transactions on Computer Systems (TOCS), Vol. 16, 3 (1998), 207--233.

Digital Library

[4]

Paul-Antoine Arras, Anastasios Andronidis, Luís Pina, Karolis Mituzas, Qianyi Shu, Daniel Grumberg, and Cristian Cadar. 2022. SaBRe: load-time selective binary rewriting. International Journal on Software Tools for Technology Transfer (STTT), Vol. 24, 2 (2022), 205--223.

Digital Library

[5]

Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazières, and Christos Kozyrakis. 2012. Dune: Safe User-level Access to Privileged CPU Features. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 335--348.

[6]

Massimo Bernaschi, Emanuele Gabrielli, and Luigi V. Mancini. 2000. Operating System Enhancements to Prevent the Misuse of System Calls. In ACM Conference on Computer and Communications Security (CCS). 174--183.

[7]

James Bucek, Klaus-Dieter Lange, and Jóakim v. Kistowski. 2018. SPEC CPU2017: Next-generation Compute Benchmark. In ACM/SPEC International Conference on Performance Engineering (ICPE). 41--42.

Digital Library

[8]

Alexander Bulekov, Rasoul Jahanshahi, and Manuel Egele. 2021. Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In USENIX Security Symposium (SEC). 2881--2898.

[9]

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security Symposium (SEC). 249--266.

[10]

Claudio Canella, Mario Werner, Daniel Gruss, and Michael Schwarz. 2021. Automating Seccomp Filter Generation for Linux Applications. In ACM Cloud Computing Security Workshop (CCSW). 139--151.

[11]

Suresh N. Chari and Pau-Chen Cheng. 2003. BlueBoX: A Policy-Driven, Host-Based Intrusion Detection System. ACM Transactions on Information and System Security (TISSEC), Vol. 6, 2 (2003), 173--200.

Digital Library

[12]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-Oriented Programming without Returns. In ACM Conference on Computer and Communications Security (CCS). 559--572.

Digital Library

[13]

Microsoft Corporation. 2016. Seccomp security profiles for Docker. https://github.com/microsoft/docker/blob/master/docs/security/seccomp.md

[14]

The MITRE Corporation. 2014. CVE-2014-0039. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038

[15]

The MITRE Corporation. 2017. CVE-2017-8824. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8824

[16]

The MITRE Corporation. 2021. CVE-2021--44229. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

[17]

Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium (SEC), Vol. 98. 63--78.

[18]

Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. sysfilter: Automated System Call Filtering for Commodity Software. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 459--474.

[19]

Solar Designer. 1997. Getting around non-executable stack (and fix). https://seclists.org/bugtraq/1997/Aug/63.

[20]

Daniel C. DuVarney, V. N. Venkatakrishnan, and Sandeep Bhatkar. 2003. SELF: A Transparent Security Extension for ELF Binaries. In ACM New Security Paradigms Workshop (NSPW). 29--38.

[21]

Catherine Easdon, Michael Schwarz, Martin Schwarzl, and Daniel Gruss. 2022. Rapid Prototyping for Microarchitectural Attacks. In USENIX Security Symposium (SEC). 3861--3877.

[22]

Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building Diverse Computer Systems. In Workshop on Hot Topics in Operating Systems (HotOS). 67--72.

[23]

Timothy Fraser, Lee Badger, and Mark Feldman. 2000. Hardening COTS Software with Generic Software Wrappers. In IEEE DARPA Information Survivability Conference and Exposition (DISCEX), Vol. 2. 323--337.

[24]

Alexander J. Gaidis, Joao Moreira, Ke Sun, Alyssa Milburn, Vaggelis Atlidakis, and Vasileios P. Kemerlis. 2023. FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID).

[25]

Tal Garfinkel. 2003. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Network and Distributed System Security Symposium (NDSS).

[26]

Tal Garfinkel, Ben Pfaff, and Mendel Rosenblum. 2004. Ostia: A Delegating Architecture for Secure System Call Interposition. In Network and Distributed System Security Symposium (NDSS).

[27]

Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020a. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 443--458.

[28]

Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020b. Temporal System Call Specialization for Attack Surface Reduction. In USENIX Security Symposium (SEC). 1749--1766.

[29]

Seyedhamed Ghavamnia, Tapti Palit, and Michalis Polychronakis. 2022. C2C: Fine-Grained Configuration-Driven System Call Filtering. In ACM Conference on Computer and Communications Security (CCS). 1243--1257.

Digital Library

[30]

Douglas P. Ghormley, David Petrou, Steven H. Rodrigues, and Thomas E. Anderson. 1998. SLIC: An Extensibility System for Commodity Operating Systems. In USENIX Annual Technical Conference (ATC).

[31]

Adrien Ghosn, Marios Kogias, Mathias Payer, James R Larus, and Edouard Bugnion. 2021. Enclosure: Language-Based Restriction of Untrusted Libraries. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 255--267.

[32]

Will Glozer. 2021. wrk - a HTTP benchmarking tool. https://github.com/wg/wrk.

[33]

Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out Of Control: Overcoming Control-Flow Integrity. In IEEE Symposium on Security and Privacy (S&P). 575--589.

[34]

Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. 1996. A Secure Environment for Untrusted Helper Applications Confining the Wily Hacker. In USENIX Security Symposium (SEC).

[35]

Ivan Gotovchits, Rijnard Van Tonder, and David Brumley. 2018. Saluki: Finding Taint-style Vulnerabilities with Static Property Checking. In Workshop on Binary Analysis Research (BAR).

[36]

Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. 2015. Cache Template Attacks: Automating Attacks on Inclusive Last-level Caches. In USENIX Security Symposium (SEC). 897--912.

[37]

Philip J. Guo and Dawson Engler. 2011. CDE: Using System Call Interposition to Automatically Create Portable Software Packages. In USENIX Annual Technical Conference (ATC).

[38]

Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, Vol. 6, 3 (1998), 151--180.

Digital Library

[39]

Gerard J. Holzmann. 2015. Code Inflation. https://spinroot.com/gerard/pdf/Code_Inflation.pdf

[40]

Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In IEEE Symposium on Security and Privacy (S&P). 969--986.

[41]

Kyriakos K. Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. 2018. Block Oriented Programming: Automating Data-Only Attacks. In ACM Conference on Computer and Communications Security (CCS). 1868--1882.

Digital Library

[42]

Kapil Jain and R. Sekar. 2000. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Network and Distributed System Security Symposium (NDSS).

[43]

Jake Edge. 2015. A seccomp overview. https://lwn.net/Articles/656307/.

[44]

Jonathan Corbet. 2005. Securely renting out your CPU with Linux. https://lwn.net/Articles/120647/.

[45]

Michael B. Jones. 1993. Interposition Agents: Transparently Interposing User Code at the System Interface. ACM Special Interest Group in Operating Systems (SIGOPS), Vol. 27, 5 (1993), 80--93.

Digital Library

[46]

Konstantinos Kallas, Tammam Mustafa, Jan Bielak, Dimitris Karnikis, Thurston H.Y. Dang, Michael Greenberg, and Nikos Vasilakis. 2022. Practically Correct, Just-in-Time Shell Script Parallelization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 769--785.

[47]

Dmitry Kasatkin, David Safford, and Mimi Zohar. 2010. An Overview of The Linux Integrity Subsystem.

[48]

Guarav S. Kc and Angelos D. Keromytis. 2005. e-NeXSh: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing. In Annual Computer Security Applications Conference (ACSAC).

[49]

Vasileios P. Kemerlis. 2015. Protecting Commodity Operating Systems through Strong Kernel Isolation. Ph.,D. Dissertation. Columbia University.

[50]

The Linux Kernel. 2023. Syscall User Dispatch. https://docs.kernel.org/admin-guide/syscall-user-dispatch.html.

[51]

Sungjin Kim, Byung Joon Kim, and Dong Hoon Lee. 2021. Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. In IEEE International Conference on Cloud Computing (CLOUD). 278--287.

[52]

Taesoo Kim and Nickolai Zeldovich. 2013. Practical and Effective Sandboxing for Non-root Users. In USENIX Annual Technical Conference (ATC). 139--144.

[53]

Koen Koning, Herbert Bos, and Cristiano Giuffrida. 2016. Secure and Efficient Multi-variant Execution Using Hardware-assisted Process Virtualization. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 431--442.

[54]

Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P Kemerlis, and Michalis Polychronakis. 2018. Compiler-assisted Code Randomization. In IEEE Symposium on Security and Privacy (S&P). 461--477.

[55]

Alexey Kopytov. 2021. sysbench. https://github.com/akopytov/sysbench.

[56]

Eduardo Krell and Balachander Krishnamurthy. 1992. COLA: Customized Overlaying. In USENIX Winter Technical Conference. 3--7.

[57]

Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea nd R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 147--163.

[58]

Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated Software Diversity. In IEEE Symposium on Security and Privacy (S&P). 276--291.

[59]

Lingguang Lei, Jianhua Sun, Kun Sun, Chris Shenefiel, Rui Ma, Yuewu Wang, and Qi Li. 2017. SPEAKER: Split-Phase Execution of Application Containers. In International Conference of Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 230--251.

[60]

Bo Li, Jianxin Li, Tainyu Wo, Chunming Hu, and Liang Zhong. 2010. A VMM-Based System Call Interposition Framework for Program Monitoring. In IEEE International Conference on Parallel and Distributed Systems (ICPADS). 706--711.

Digital Library

[61]

Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos. 2017. Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In USENIX Annual Technical Conference (ATC). 1--13.

[62]

Cullen Linn, Mohan Rajagopalan, Scott Baker, Christian S. Collberg, Saumya K. Debray, and John H. Hartman. 2005. Protecting Against Unexpected System Calls. In USENIX Security Symposium (SEC). 239--254.

[63]

Linux Integrity Project. 2020. evmctl - IMA/EVM signing utility. https://manpages.debian.org/bullseye/ima-evm-utils/evmctl.1.en.html.

[64]

Linux Programmer's Manual. 2021. proc - process information pseudo-filesystem. https://man7.org/linux/man-pages/man5/proc.5.html.

[65]

LWN.net. 2004. x86 NX support. https://lwn.net/Articles/87814/.

[66]

System Calls Manual. 2022. pledge - restrict system operations. https://man.openbsd.org/pledge.2

[67]

MariaDB. 2011. MariaDB Tools. https://github.com/MariaDB/mariadb.org-tools/blob/master/sysbench/run-sysbench.sh.

[68]

MariaDB. 2023. MariaDB. https://mariadb.com.

[69]

Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In USENIX Winter Conference.

[70]

Terrence Mitchem, Raymond Lu, and Richard O'Brien. 1997. Using Kernel Hypervisors to Secure Applications. In Annual Computer Security Applications Conference (ACSAC). 175--181.

[71]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In ACM Conference on Programming Language Design and Implementation (PLDI). 245--258.

Digital Library

[72]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In ACM International Symposium on Memory Management (ISMM). 31--40.

Digital Library

[73]

Nginx. 2023. Nginx. https://nginx.org.

[74]

Koichi Onoue, Yoshihiro Oyama, and Akinori Yonezawa. 2008. Control of System Calls from Outside of Virtual Machines. In ACM Symposium on Applied Computing (SAC). 2116--1221.

Digital Library

[75]

Shankara Pailoor, Xinyu Wang, Hovav Shacham, and Isil Dillig. 2020. Automated Policy Synthesis for System Call Sandboxing. In ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA).

[76]

Dinglan Peng, Congyu Liu, Tapti Palit, Pedro Fonseca, Anjo Vahldiek-Oberwagner, and Mona Vij. 2023. uSWITCH: Fast Kernel Context Isolation with Implicit Context Switches. In IEEE Symposium on Security and Privacy (S&P). 2956--2973.

[77]

Rob Pike and Brian Kernighan. 1984. Program Design in the UNIX Environment. AT&T Bell Laboratories Technical Journal, Vol. 63, 8 (1984), 1595--1605.

[78]

Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective Memory Protection for Kernel and User Space. In IEEE Symposium on Security and Privacy (S&P). 563--577.

[79]

Niels Provos. 2003. Improving Host Security with System Call Policies. In USENIX Security Symposium (SEC). 257--272.

[80]

Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In USENIX Security Symposium (SEC). 1733--1750.

[81]

Anh Quach, Rukayat Erinfolami, David Demicco, and Aravind Prakash. 2017. A Multi-OS Cross-Layer Study of Bloating in User Programs, Kernel and Managed Execution Environments. In ACM Workshop on Forming an Ecosystem Around Software Transformation (FEAST). 65--70.

[82]

Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In USENIX Security Symposium (SEC). 869--886.

[83]

Mohan Rajagopalan, Matti A. Hiltunen, Trevor Jim, and Richard D. Schlichting. 2006. System Call Monitoring Using Authenticated System Calls. IEEE Transactions on Dependable and Secure Computing (TDSC), Vol. 3, 3 (2006), 216--229.

Digital Library

[84]

Redis. 2023 a. memtier_benchmark. https://github.com/RedisLabs/memtier_benchmark.

[85]

Redis. 2023 b. Redis. https://redis.io.

[86]

Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert Van Doorn. 2004. Design and Implementation of a TCG-based Integrity Measurement Architecture. In USENIX Security Symposium (SEC). 223--238.

[87]

Yasushi Saito. 2005. Jockey: A User-Space Library for Record-Replay Debugging. In ACM International Symposium on Automated Analysis-Driven Debugging (AADEBUG). 69--76.

Digital Library

[88]

Jerome H. Saltzer and Michael D. Schroeder. 1975. The Protection of Information in Computer Systems. Proc. IEEE, Vol. 63, 9 (1975), 1278--1308.

[89]

David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In USENIX Security Symposium (SEC). 936--952.

[90]

Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C Applications. In IEEE Symposium on Security and Privacy (S&P). 745--762.

[91]

Albert Serra, Nacho Navarro, and Toni Cortes. 2000. DITools: Application-level Support for Dynamic Extension and Flexible Composition. In USENIX Annual Technical Conference (ATC). 225--238.

[92]

Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS). 552--561.

Digital Library

[93]

Dimitrios Skarlatos, Qingrong Chen, Jianyan Chen, Tianyin Xu, and Josep Torrellas. 2020. Draco: Architectural and Operating System Support for System Call Security. In IEEE/ACM International Symposium on Microarchitecture (MICRO). 42--57.

[94]

Sooel Son, Kathryn S McKinley, and Vitaly Shmatikov. 2011. Rolecast: Finding Missing Security Checks When You Do Not Know What Checks Are. In ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). 1069--1084.

Digital Library

[95]

César Soto-Valero, Nicolas Harrand, Martin Monperrus, and Benoit Baudry. 2021. A Comprehensive Study of Bloated Dependencies in the Maven Ecosystem. Empirical Software Engineering (EMSE), Vol. 26, 3 (2021), 45.

Digital Library

[96]

SQLite. 2023 a. Database Speed Comparison. https://www.sqlite.com/speed.html.

[97]

SQLite. 2023 b. SQLite. https://www.sqlite.org.

[98]

Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal War in Memory. In IEEE Symposium on Security and Privacy (IEEE S&P). 48--62.

[99]

The Linux Kernel. 2023. Seccomp BPF (SECure COMPuting with filters). https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html.

[100]

Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security Symposium (SEC). 941--955.

[101]

David Williams-King, Graham Gobieski, Kent Williams-King, James P Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 367--382.

[102]

David Williams-King, Hidenori Kobayashi, Kent Williams-King, Graham Patterson, Frank Spano, Yu Jian Wu, Junfeng Yang, and Vasileios P. Kemerlis. 2020. Egalito: Layout-Agnostic Binary Recompilation. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 133--147.

[103]

Yunlong Xing, Jiahao Cao, Kun Sun, Fei Yan, and Shengye Wan. 2022. The devil is in the detail: Generating system call whitelist for Linux seccomp. Future Generation Computer Systems (FGCS), Vol. 135 (2022), 105--113.

Digital Library

[104]

Yunlong Xing, Xinda Wang, Sadegh Torabi, Zeyu Zhang, Lingguang Lei, and Kun Sun. 2023. A Hybrid System Call Profiling Approach for Container Protection. IEEE Transactions on Dependable and Secure Computing (TDSC) (2023).

Digital Library

[105]

Fabian Yamaguchi, Christian Wressnegger, Hugo Gascon, and Konrad Rieck. 2013. Chucky: Exposing Missing Checks in Source Code for Vulnerability Discovery. In ACM Conference on Computer and Communications Security (CCS). 499--510.

Digital Library

[106]

YiFei Zhu. 2020. seccomp: Add bitmap cache of constant allow filter results. https://lwn.net/Articles/834056/.

[107]

Yves Younan, Wouter Joosen, and Frank Piessens. 2012. Runtime Countermeasures for Code Injection Attacks against C and C Programs. ACM Computing Surveys (CSUR), Vol. 44, 3 (2012), 1--28.

Digital Library

[108]

Dongyang Zhan, Zhaofeng Yu, Xiangzhan Yu, Hongli Zhang, Lin Ye, and Likun Liu. 2022. Securing Operating Systems Through Fine-Grained Kernel Access Limitation for IoT Systems. IEEE Internet of Things Journal (IoT-J), Vol. 10, 6 (2022), 5378--5392.

[109]

Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (S&P). 559--573.

Cited By

Vasilas TBacila CBrad R(2024)Beat the Heat: Syscall Attack Detection via Thermal Side ChannelFuture Internet10.3390/fi1608030116:8(301)Online publication date: 21-Aug-2024
https://doi.org/10.3390/fi16080301
Yang SKang BNam J(2024)Optimus: association-based dynamic system call filtering for container attack surface reductionJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-024-00639-313:1Online publication date: 23-Mar-2024
https://dl.acm.org/doi/10.1186/s13677-024-00639-3
Jacobs AGülmez MAndries AVolckaert SVoulimeneas A(2024)System Call Interposition Without Compromise2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00030(183-194)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00030

Index Terms

SysXCHG: Refining Privilege with Adaptive System Call Filters
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security

Recommendations

Adaptive median filters: new algorithms and results

Based on two types of image models corrupted by impulse noise, we propose two new algorithms for adaptive median filters. They have variable window size for removal of impulses while preserving sharpness. The first one, called the ranked-order based ...
Properties of IIR-OSLMS adaptive filters
MIC '08: Proceedings of the 27th IASTED International Conference on Modelling, Identification and Control

One of the most common problems in using of adaptive filters is their behavior in condition of application of a high amplitude and short time pulses at the filters' input. The ALMS mean filter is an OSLMS filter, featured by a good convergence of their ...
Application of Adaptive Sub-band Filters on Active Noise Control
SPML '22: Proceedings of the 2022 5th International Conference on Signal Processing and Machine Learning

Active noise control is an effective method for active noise reduction for low frequency noise. In this paper, the forward control method is adopted for noise reduction special in semi-enclosed spaces. The primary(original) noise from noise sources is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
599
Total Downloads

Downloads (Last 12 months)599
Downloads (Last 6 weeks)69

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vasilas TBacila CBrad R(2024)Beat the Heat: Syscall Attack Detection via Thermal Side ChannelFuture Internet10.3390/fi1608030116:8(301)Online publication date: 21-Aug-2024
https://doi.org/10.3390/fi16080301
Yang SKang BNam J(2024)Optimus: association-based dynamic system call filtering for container attack surface reductionJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-024-00639-313:1Online publication date: 23-Mar-2024
https://dl.acm.org/doi/10.1186/s13677-024-00639-3
Jacobs AGülmez MAndries AVolckaert SVoulimeneas A(2024)System Call Interposition Without Compromise2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00030(183-194)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00030
Qin KGu D(2024)One System Call Hook to Rule All TEE OSes in the Cloud2024 IEEE 17th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD62652.2024.00032(205-216)Online publication date: 7-Jul-2024
https://doi.org/10.1109/CLOUD62652.2024.00032

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents