research-article

Public Access

SysPart: Automated Temporal System Call Filtering for Binaries

Authors:

Vidya Lakshmi Rajagopalan,

Konstantinos Kleftogiorgos,

Georgios PortokalidisAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 1979 - 1993

https://doi.org/10.1145/3576915.3623207

Published: 21 November 2023 Publication History

Abstract

Restricting the system calls available to applications reduces the attack surface of the kernel and limits the functionality available to compromised applications. Recent approaches automatically identify the system calls required by programs to block unneeded ones. For servers, they even consider different phases of execution to tighten restrictions after initialization completes. However, they require access to the source code for applications and libraries, depend on users identifying when the server transitions from initialization to serving clients, or do not account for dynamically-loaded libraries. This paper introduces SYSPART, an automatic system-call filtering system designed for binary-only server programs that addresses the above limitations. Using a novel algorithm that combines static and dynamic analysis, SYSPART identifies the serving phases of all working threads of a server. Static analysis is used to compute the system calls required during the various serving phases in a sound manner, and dynamic observations are only used to complement static resolution of dynamically-loaded libraries when necessary. We evaluated SYSPART using six popular servers on x86-64 Linux to demonstrate its effectiveness in automatically identifying serving phases, generating accurate system-call filters, and mitigating attacks. Our results show that SYSPART outperforms prior binary-only approaches and performs comparably to source-code approaches.

References

[1]

2018. Navy - Protocol Feature Identification and Removal. https://www.navysbir .com/n18A/N18A-T018.htm.

[2]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In Proceedings of the ACM Conference on Computer and Communications Security. 340--353.

[3]

Ioannis Agadakos, Nicholas Demarinis, Di Jin, Kent Williams-King, Jearson Alfajardo, Benjamin Shteinfeld, David Williams-King, Vasileios P. Kemerlis, and Georgios Portokalidis. 2020. Large-Scale Debloating of Binary Shared Libraries. Digital Threats: Research and Practice (DTRAP), Vol. 1, 4, Article 19 (Dec. 2020), 28 pages. https://dl.acm.org/doi/pdf/10.1145/3414997

Digital Library

[4]

Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P. Kemerlis, and Georgios Portokalidis. 2019. Nibbler: Debloating Binary Shared Libraries. In Proceedings of the Annual Computer Security Applications Conference (ACSAC) (San Juan, Puerto Rico).

Digital Library

[5]

Starr Andersen and Vincent Abella. 2004. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, Data Execution Prevention. Microsoft TechNet Library--http://technet.microsoft.com/en-us/library/bb457155.aspx.

[6]

Apache-Test. v1.43. Test suite for Apache. https://metacpan.org/dist/Apache-Test.

[7]

Claudio Canella, Mario Werner, Daniel Gruss, and Michael Schwarz. 2021. Automating Seccomp Filter Generation for Linux Applications. In Proceedings of the 2021 on Cloud Computing Security Workshop (Virtual Event, Republic of Korea) (CCSW '21). Association for Computing Machinery, New York, NY, USA, 139--151. https://doi.org/10.1145/3474123.3486762

Digital Library

[8]

Alex Chapman. 2016. Seccomp and Seccomp-BPF. https://ajxchapman.github.io/linux/2016/08/31/seccomp-and-seccomp-bpf.html. (2016).

[9]

Julian Cohen. 2011. FORTIFY_SOURCE Semantics. https://hockeyinjune.medium.com/fortify-source-semantics-de54ca4bbe12.

[10]

Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, et al. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, Vol. 81. 346--355.

[11]

National Vulnerability Database. 2019. BlueKeep Vulnerability (CVE-2019-0708). NIST. https://nvd.nist.gov/vuln/detail/CVE-2019-0708

[12]

Bjorn De Sutter, Ludo Van Put, and Koen De Bosschere. 2007. A Practical Interprocedural Dominance Algorithm. ACM Trans. Program. Lang. Syst., Vol. 29, 4 (aug 2007), 19-es. https://doi.org/10.1145/1255450.1255452

Digital Library

[13]

Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. sysfilter: Automated System Call Filtering for Commodity Software. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 459--474. https://www.usenix.org/conference/raid2020/presentation/demarinis

[14]

Solar Designer. 1997. Getting around non-executable stack (and fix). https://seclists.org/bugtraq/1997/Aug/63.

[15]

Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer. 2020. RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization. In IEEE Symposium on Security and Privacy (S&P). 128--142.

[16]

Gregory J. Duck, Xiang Gao, and Abhik Roychoudhury. 2020. Binary Rewriting without Control Flow Recovery. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 151--163.

Digital Library

[17]

Charles N. Fischer. CS701. Finding Loops in Control Flow Graphs. https://pages.cs.wisc.edu/ fischer/cs701.f14/finding.loops.html.

[18]

Tal Garfinkel, Ben Pfaff, Mendel Rosenblum, et al. 2004. Ostia: A Delegating Architecture for Secure System Call Interposition. In NDSS.

[19]

Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020a. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 443--458.

[20]

Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020b. Temporal System Call Specialization for Attack Surface Reduction. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 1749--1766. https://www.usenix.org/conference/usenixsecurity20/presentation/ghavamnia

[21]

Enes Göktacs, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. 2014. Out Of Control: Overcoming Control-Flow Integrity. In Proceedings of the IEEE Symposium on Security and Privacy (San Jose, CA, USA). 575--589.

[22]

Enes Göktacs, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Undermining Entropy-based Information Hiding (And What to do About it). In Proceedings of the USENIX Security Symposium (Austin, TX, USA). 105--119.

[23]

Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. 1996. A Secure Environment for Untrusted Helper Applications Confining the Wily Hacker. In Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6 (San Jose, California) (SSYM'96). USENIX Association, USA, 1.

[24]

Norm Hardy. 1988. The Confused Deputy: (Or Why Capabilities Might Have Been Invented). SIGOPS Oper. Syst. Rev., Vol. 22, 4 (oct 1988), 36--38.

Digital Library

[25]

Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective Program Debloating via Reinforcement Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). Association for Computing Machinery, New York, NY, USA, 380--394. https://doi.org/10.1145/3243734.3243838

Digital Library

[26]

K. Jain and R. C. Sekar. 2000. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Network and Distributed System Security Symposium.

[27]

Christopher Jelesnianski, Mohannad Ismail, Yeongjin Jang, Dan Williams, and Changwoo Min. 2023. Protect the System Call, Protect (Most of) the World with BASTION. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3 (Vancouver, BC, Canada) (ASPLOS 2023). Association for Computing Machinery, New York, NY, USA, 528--541. https://doi.org/10.1145/3582016.3582066

Digital Library

[28]

Vasileios P. Kemerlis. 2015. Protecting Commodity Operating Systems through Strong Kernel Isolation. Ph.,D. Dissertation. Columbia University.

[29]

Vasileios P. Kemerlis, Michalis Polychronakis, and Angelos D. Keromytis. 2014. ret2dir: Rethinking Kernel Isolation. In USENIX Security Symposium (SEC). 957--972.

[30]

Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis. 2012. kGuard: Lightweight Kernel Protection against Return-to-user attacks. In USENIX Security Symposium (SEC). 459--474.

[31]

Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security (Dresden, Germany) (EuroSec '19). Association for Computing Machinery, New York, NY, USA, Article 9, 6 pages. https://doi.org/10.1145/3301417.3312501

Digital Library

[32]

Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos. 2017. Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In USENIX Annual Technical Conference (ATC). 1--13.

[33]

Edward S. Lowry and C. W. Medlock. 1969. Object Code Optimization. Commun. ACM, Vol. 12, 1 (jan 1969), 13--22. https://doi.org/10.1145/362835.362838

Digital Library

[34]

C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. 2005. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Proc of the Conference on Programming Language Design and Implementation (PLDI). 190--200.

[35]

LWN.net. 2020. Seccomp and deep argument inspection. https://lwn.net/Articles/822256/.

[36]

Shachee Mishra and Michalis Polychronakis. 2018. Shredder: Breaking Exploits through API Specialization. In Annual Computer Security Applications Conference (ACSAC). 1--16.

Digital Library

[37]

MITRE. 2013a. CVE-2013-1858. https://nvd.nist.gov/vuln/detail/CVE-2013-1859.

[38]

MITRE. 2013b. CVE-2013-2028. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2029.

[39]

Collin Mulliner and Matthias Neugschwandtner. 2015. Breaking Payloads with Runtime Code Stripping and Image Freezing. https://www.blackhat.com/us-15/briefings.html#breaking-payloads-with-runtime-code-stripping-and-image-freezing.

[40]

Network Service Switch. NSS. Linux manual page. https://man7.org/linux/man-pages/man5/nss.5.html.

[41]

nginx-tests. [n.,d.]. Test suite for Nginx. https://github.com/nginx/nginx-tests.

[42]

Shankara Pailoor, Xinyu Wang, Hovav Shacham, and Isil Dillig. 2020. Automated Policy Synthesis for System Call Sandboxing. Proc. ACM Program. Lang., Vol. 4, OOPSLA, Article 135 (nov 2020), 26 pages. https://doi.org/10.1145/3428203

Digital Library

[43]

PaX Team. 2003. Address Space Layout Randomization (ASLR). https://pax.grsecurity.net/docs/aslr.txt.

[44]

Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR X: Comprehensive Kernel Protection against Just-In-Time Code Reuse. In European Conference on Computer Systems (EuroSys). 420--436.

[45]

Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2019. Kernel Protection against Just-In-Time Code Reuse. ACM Transactions on Privacy and Security (TOPS), Vol. 22, 1 (2019), 1--28.

Digital Library

[46]

Chris Porter, Girish Mururu, Prithayan Barua, and Santosh Pande. 2020. BlankIt Library Debloating: Getting What You Want Instead of Cutting What You Don't. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (London, UK) (PLDI 2020). Association for Computing Machinery, New York, NY, USA, 164--180. https://doi.org/10.1145/3385412.3386017

Digital Library

[47]

Niels Provos. 2003. Improving Host Security with System Call Policies. In USENIX Security Symposium. 257--272.

[48]

Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1733--1750. https://www.usenix.org/conference/usenixsecurity19/presentation/qian

[49]

Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC'18). USENIX Association, USA, 869--886.

Digital Library

[50]

Ganesan Ramalingam. 1994. The Undecidability of Aliasing. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 16, 5 (1994), 1467--1471.

Digital Library

[51]

Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C Applications. In IEEE Symposium on Security and Privacy (S&P). 745--762.

[52]

Abyss Web Server. X1. Aprelium. https://aprelium.com/.

[53]

Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security (CCS). 552--561.

Digital Library

[54]

László Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In IEEE Symposium on Security and Privacy (S&P). 48--62.

[55]

Victor van der Veen, Enes Göktacs, Moritz Contag, Andre Pawoloski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos, and Cristiano Giuffrida. 2016. A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level. In 2016 IEEE Symposium on Security and Privacy (SP). 934--953. https://doi.org/10.1109/SP.2016.60

[56]

David Williams-King, Hidenori Kobayashi, Kent Williams-King, Graham Patterson, Frank Spano, Yu Jian Wu, Junfeng Yang, and Vasileios P. Kemerlis. 2020. Egalito: Layout-Agnostic Binary Recompilation. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems (Lausanne, Switzerland) (ASPLOS '20). Association for Computing Machinery, New York, NY, USA, 133--147. https://doi.org/10.1145/3373376.3378470

Digital Library

[57]

Yves Younan, Wouter Joosen, and Frank Piessens. 2012. Runtime Countermeasures for Code Injection Attacks against C and C Programs. ACM Computing Surveys (CSUR), Vol. 44, 3 (2012), 1--28.

Digital Library

[58]

Qiang Zeng, Zhi Xin, Dinghao Wu, Peng Liu, and Bing Mao. 2014. Tailored Application-specific System Call Tables. Technical Report.

Cited By

Rajagopalan VPortokalidis GCraven RMickelson M(2024)Evaluating the Effect of Improved Indirect Call Resolution on System Call DebloatingProceedings of the 2024 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3689937.3695791(1-6)Online publication date: 14-Oct-2024
https://dl.acm.org/doi/10.1145/3689937.3695791
Thévenon GNguetchouang KLazri KTchana AOlivier PSchiavoni VEdinger JCao JJin Z(2024)B-Side: Binary-Level Static System Call IdentificationProceedings of the 25th International Middleware Conference10.1145/3652892.3700761(225-237)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3652892.3700761
Jacobs AGülmez MAndries AVolckaert SVoulimeneas A(2024)System Call Interposition Without Compromise2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00030(183-194)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00030
Show More Cited By

Index Terms

SysPart: Automated Temporal System Call Filtering for Binaries
1. Security and privacy
  1. Systems security

Recommendations

Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Automatic protocol reverse-engineering is important for many security applications, including the analysis and defense against botnets. Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of ...
A Spatio-Temporal malware and country clustering algorithm: 2012 IIJ MITF case study

A huge number of botnet malware variants can be downloaded by zombie personal computers as secondary injections and upgrades according to their botmasters to perform different distributed/coordinated cyber attacks such as phishing, spam e-mail, ...
Identifying Dormant Functionality in Malware Programs
SP '10: Proceedings of the 2010 IEEE Symposium on Security and Privacy

To handle the growing flood of malware, security vendors and analysts rely on tools that automatically identify and analyze malicious code. Current systems for automated malware analysis typically follow a dynamic approach, executing an unknown program ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
405
Total Downloads

Downloads (Last 12 months)369
Downloads (Last 6 weeks)66

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rajagopalan VPortokalidis GCraven RMickelson M(2024)Evaluating the Effect of Improved Indirect Call Resolution on System Call DebloatingProceedings of the 2024 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3689937.3695791(1-6)Online publication date: 14-Oct-2024
https://dl.acm.org/doi/10.1145/3689937.3695791
Thévenon GNguetchouang KLazri KTchana AOlivier PSchiavoni VEdinger JCao JJin Z(2024)B-Side: Binary-Level Static System Call IdentificationProceedings of the 25th International Middleware Conference10.1145/3652892.3700761(225-237)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3652892.3700761
Jacobs AGülmez MAndries AVolckaert SVoulimeneas A(2024)System Call Interposition Without Compromise2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00030(183-194)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00030
Qin KGu D(2024)One System Call Hook to Rule All TEE OSes in the Cloud2024 IEEE 17th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD62652.2024.00032(205-216)Online publication date: 7-Jul-2024
https://doi.org/10.1109/CLOUD62652.2024.00032
Mei BXia SWang WLin D(2024)Cabin: Confining Untrusted Programs Within Confidential VMsInformation and Communications Security10.1007/978-981-97-8798-2_9(165-184)Online publication date: 25-Dec-2024
https://doi.org/10.1007/978-981-97-8798-2_9

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents