Building Dynamic System Call Sandbox with Partial Order Analysis
Authors: 
Quan Zhang, Chijin Zhou, Yiwen Xu, Zijing Yin, Mingzhe Wang, Zhuo Su, Chengnian Sun, Yu Jiang, Jiaguang SunAuthors Info & Claims
Quan Zhang, Chijin Zhou, Yiwen Xu, Zijing Yin, Mingzhe Wang, Zhuo Su, Chengnian Sun, Yu Jiang, Jiaguang SunAuthors Info & ClaimsArticle No.: 266, Pages 1253 - 1280
Abstract
Attack surface reduction is a security technique that secures the operating system by removing the unnecessary code or features of a program. By restricting the system calls that programs can use, the system call sandbox is able to reduce the exposed attack surface of the operating system and prevent attackers from damaging it through vulnerable programs. Ideally, programs should only retain access to system calls they require for normal execution. Many researchers focus on adopting static analysis to automatically restrict the system calls for each program. However, these methods do not adjust the restriction policy along with program execution. Thus, they need to permit all system calls required for program functionalities.
We observe that some system calls, especially security-sensitive ones, are used a few times in certain stages of a program’s execution and then never used again. This motivates us to minimize the set of required system calls dynamically. In this paper, we propose, which gradually disables access to unnecessary system calls throughout the program’s execution. To accomplish this, we utilize partial order analysis to transform the program into a partially ordered graph, which enables efficient identification of the necessary system calls at any given point during program execution. Once a system call is no longer required by the program, can restrict it immediately. To evaluate, we applied it to seven widely-used programs with an average of 615 KLOC, including web servers and databases. With partial order analysis, restricts an average of 23.50, 16.86, and 15.89 more system calls than the state-of-the-art Chestnut, Temporal Specialization, and the configuration-aware sandbox, C2C, respectively. For mitigating malicious exploitations, on average, defeats 83.42% of 1726 exploitation payloads with only a 5.07% overhead.
References
[1]
Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13, 1 (2009), 1–40.
[2]
Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P. Kemerlis, and Georgios Portokalidis. 2019. Nibbler: debloating binary shared libraries. In Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, San Juan, PR, USA, December 09-13, 2019, David Balenson (Ed.). ACM, 70–83. https://doi.org/10.1145/3359789.3359823
[3]
A. Bensoussan, C. T. Clingen, and Robert C. Daley. 1972. The Multics Virtual Memory: Concepts and Design. Commun. ACM, 15, 5 (1972), 308–318. https://doi.org/10.1145/355602.361306
[4]
Claudio Canella, Mario Werner, Daniel Gruss, and Michael Schwarz. 2021. Automating Seccomp Filter Generation for Linux Applications. In CCSW@CCS ’21: Proceedings of the 2021 on Cloud Computing Security Workshop, Virtual Event, Republic of Korea, 15 November 2021, Yinqian Zhang and Marten van Dijk (Eds.). ACM, 139–151. https://doi.org/10.1145/3474123.3486762
[5]
Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. Sysfilter: Automated system call filtering for commodity software. RAID 2020 Proceedings - 23rd International Symposium on Research in Attacks, Intrusions and Defenses, 459–474. isbn:9781939133182
[6]
Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020. Temporal System Call Specialization for Attack Surface Reduction. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 1749–1766. https://www.usenix.org/conference/usenixsecurity20/presentation/ghavamnia
[7]
Seyedhamed Ghavamnia, Tapti Palit, and Michalis Polychronakis. 2022. C2C: Fine-grained Configuration-driven System Call Filtering. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022, Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi (Eds.). ACM, 1243–1257. https://doi.org/10.1145/3548606.3559366
[8]
Ian Goldberg, David A. Wagner, Randi Thomas, and Eric A. Brewer. 1996. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 6th USENIX Security Symposium, San Jose, CA, USA, July 22-25, 1996. USENIX Association. https://www.usenix.org/conference/6th-usenix-security-symposium/secure-environment-untrusted-helper-applications
[9]
Xiaoyu Hu, Jie Zhou, Spyridoula Gravani, and John Criswell. 2018. Transforming Code to Drop Dead Privileges. In 2018 IEEE Cybersecurity Development, SecDev 2018, Cambridge, MA, USA, September 30 - October 2, 2018. IEEE Computer Society, 45–52. https://doi.org/10.1109/SecDev.2018.00014
[10]
Jacek Jachner and Vinod K. Agarwal. 1984. Data Flow Anomaly Detection. IEEE Transactions on Software Engineering, SE-10, 4 (1984), 432–437. https://doi.org/10.1109/TSE.1984.5010256
[11]
K. Jain and R. Sekar. 2000. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2000, San Diego, California, USA. The Internet Society. https://www.ndss-symposium.org/ndss2000/user-level-infrastructure-system-call-interposition-platform-intrusion-detection-and-confinement/
[12]
Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis. 2012. kGuard: Lightweight Kernel Protection against Return-to-User Attacks. In Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, August 8-10, 2012, Tadayoshi Kohno (Ed.). USENIX Association, 459–474. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/kemerlis
[13]
Linux Kernel. 2022. Seccomp BPF. https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html.
[14]
Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation. San Jose, CA, USA. 75–88. https://doi.org/10.1109/CGO.2004.1281665
[15]
Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos. 2017. Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In 2017 USENIX Annual Technical Conference, USENIX ATC 2017, Santa Clara, CA, USA, July 12-14, 2017, Dilma Da Silva and Bryan Ford (Eds.). USENIX Association, 1–13. https://www.usenix.org/conference/atc17/technical-sessions/presentation/li-yiwen
[16]
LibSeccomp. 2023. libSeccomp. https://github.com/seccomp/libseccomp
[17]
LLVM. 2022. Link Time Optimization. https://llvm.org/docs/LinkTimeOptimization.html.
[18]
Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In Proceedings of the Usenix Winter 1993 Technical Conference, San Diego, California, USA, January 1993. USENIX Association, 259–270. https://www.usenix.org/conference/usenix-winter-1993-conference/bsd-packet-filter-new-architecture-user-level-packet
[19]
Dirk Merkel. 2014. Docker: lightweight linux containers for consistent development and deployment. Linux journal, 2014, 239 (2014), 2.
[20]
MITRE. 2016. CVE-2016-0746. https://nvd.nist.gov/vuln/detail/CVE-2016-0746
[21]
MITRE. 2021. CVE-2021-41773. https://nvd.nist.gov/vuln/detail/CVE-2021-41773
[22]
MITRE. 2022. CVE. https://www.cve.org/.
[23]
Collin Mulliner and Matthias Neugschwandtner. 2015. Breaking Payloads with Runtime Code Stripping and Image Freezing. http://www.mulliner.org/security/codefreeze/1
[24]
Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: highly compatible and complete spatial memory safety for c. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009, Dublin, Ireland, June 15-21, 2009, Michael Hind and Amer Diwan (Eds.). ACM, 245–258. https://doi.org/10.1145/1542476.1542504
[25]
Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 699–716. https://www.usenix.org/conference/usenixsecurity20/presentation/narayan
[26]
Shankara Pailoor, Xinyu Wang, Hovav Shacham, and Isil Dillig. 2020. Automated policy synthesis for system call sandboxing. Proceedings of the ACM on Programming Languages, 4, OOPSLA (2020), issn:24751421 https://doi.org/10.1145/3428203
[27]
Neeraj Pal. 2018. Pledge: OpenBSD’s defensive approach to OS Security. https://medium.com/@_neerajpal/pledge-openbsds-defensive-approach-for-os-security-86629ef779ce
[28]
Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). In 2019 USENIX Annual Technical Conference, USENIX ATC 2019, Renton, WA, USA, July 10-12, 2019. USENIX Association, 241–254. https://www.usenix.org/conference/atc19/presentation/park-soyeon
[29]
The Linux Documentation Project. 2023. Dynamic Loaded (DL) Libraries. https://tldp.org/HOWTO/Program-Library-HOWTO/dl-libraries.html
[30]
Niels Provos. 2003. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA, August 4-8, 2003. USENIX Association. https://www.usenix.org/conference/12th-usenix-security-symposium/improving-host-security-system-call-policies
[31]
Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD. 869–886. isbn:978-1-939133-04-5 https://www.usenix.org/conference/usenixsecurity18/presentation/quach
[32]
Mohan Rajagopalan, Matti A. Hiltunen, Trevor Jim, and Richard D. Schlichting. 2005. Authenticated System Calls. In 2005 International Conference on Dependable Systems and Networks (DSN 2005), 28 June - 1 July 2005, Yokohama, Japan, Proceedings. IEEE Computer Society, 358–367. https://doi.org/10.1109/DSN.2005.23
[33]
Rapid7. 2022. Metasploit. https://www.metasploit.com/.
[34]
Charles Reis, Alexander Moshchuk, and Nasko Oskov. 2019. Site Isolation: Process Separation for Web Sites within the Browser. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019, Nadia Heninger and Patrick Traynor (Eds.). USENIX Association, 1661–1678. https://www.usenix.org/conference/usenixsecurity19/presentation/reis
[35]
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015. IEEE Computer Society, 745–762. https://doi.org/10.1109/SP.2015.51
[36]
Hovav Shacham. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28-31, 2007, Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson (Eds.). ACM, 552–561. https://doi.org/10.1145/1315245.1315313
[37]
Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Krügel, and Giovanni Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. IEEE Computer Society, 138–157. https://doi.org/10.1109/SP.2016.17
[38]
Shell Storm. 2022. Shell-storm. http://www.shell-storm.org/.
[39]
Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural Static Value-Flow Analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (CC 2016). Association for Computing Machinery, New York, NY, USA. 265–266. isbn:9781450342414 https://doi.org/10.1145/2892208.2892235
[40]
Phoronix Test Suite. 2023. Phoronix Test Suite. https://github.com/phoronix-test-suite/phoronix-test-suite.
[41]
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. IEEE Computer Society, 48–62. https://doi.org/10.1109/SP.2013.13
[42]
D. Wagner and R. Dean. 2001. Intrusion detection via static analysis. In Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001. 156–168. https://doi.org/10.1109/SECPRI.2001.924296
[43]
Yves Younan, Wouter Joosen, and Frank Piessens. 2012. Runtime countermeasures for code injection attacks against C and C++ programs. ACM Comput. Surv., 44, 3 (2012), 17:1–17:28. https://doi.org/10.1145/2187671.2187679
[44]
Michał Zalewski. 2016. American Fuzzy Lop Whitepaper. https://lcamtuf.coredump.cx/afl/technical_details.txt
[45]
Qiang Zeng, Zhi Xin, Dinghao Wu, Peng Liu, and Bing Mao. 2013. Tailored Application-specific System Call Tables.
[46]
Quan Zhang. 2023. DynBox. https://github.com/ZQ-Struggle/DynBox.git
[47]
Quan Zhang, Yifeng Ding, Yongqiang Tian, Jianmin Guo, Min Yuan, and Yu Jiang. 2021. AdvDoor: adversarial backdoor attack of deep learning system. In ISSTA ’21: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Denmark, July 11-17, 2021, Cristian Cadar and Xiangyu Zhang (Eds.). ACM, 127–138. https://doi.org/10.1145/3460319.3464809
[48]
Quan Zhang, Yongqiang Tian, Yifeng Ding, Shanshan Li, Chengnian Sun, Yu Jiang, and Jiaguang Sun. 2023. CoopHance: Cooperative Enhancement for Robustness of Deep Learning Systems. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023, Seattle, WA, USA, July 17-21, 2023, René Just and Gordon Fraser (Eds.). ACM, 753–765. https://doi.org/10.1145/3597926.3598093
[49]
Quan Zhang, Chijin Zhou, Yiwen xu, Zijing Yin, Mingzhe Wang, Zhuo Su, Chengnian Sun, Yu Jiang, and Jiaguang Sun. 2023. Building Dynamic System Call Sandbox With Partial Order Analysis. Zenodo. https://doi.org/10.5281/zenodo.8328524
[50]
Chijin Zhou, Lihua Guo, Yiwei Hou, Zhenya Ma, Quan Zhang, Mingzhe Wang, Zhe Liu, and Yu Jiang. 2023. Limits of I/O Based Ransomware Detection: An Imitation Based Attack. In 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023. IEEE, 2584–2601. https://doi.org/10.1109/SP46215.2023.10179372
[51]
Chijin Zhou, Quan Zhang, Mingzhe Wang, Lihua Guo, Jie Liang, Zhe Liu, Mathias Payer, and Yu Jiang. 2022. Minerva: browser API fuzzing with dynamic mod-ref analysis. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022, Singapore, Singapore, November 14-18, 2022. ACM, 1135–1147. https://doi.org/10.1145/3540250.3549107
Index Terms
- Building Dynamic System Call Sandbox with Partial Order Analysis
Recommendations
SysXCHG: Refining Privilege with Adaptive System Call Filters
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityWe present the design, implementation, and evaluation of SysXCHG: a system call (syscall) filtering enforcement mechanism that enables programs to run in accordance with the principle of least privilege. In contrast to the current, hierarchical design of ...
HODOR: Shrinking Attack Surface on Node.js via System Call Limitation
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityNode.js applications are becoming more and more widely adopted on the server side, partly due to the convenience of building these applications on top of the runtime provided by popular Node.js engines and the large number of third-party packages ...
Sifter: protecting security-critical kernel modules in Android through attack surface reduction
MobiCom '22: Proceedings of the 28th Annual International Conference on Mobile Computing And NetworkingThe Linux kernel is an important part of the Trusted Computing Base (TCB) of a mobile device using the Android OS, making it attractive to attackers. While all vulnerabilities in the kernel are important, those that are directly reachable by untrusted ...
Comments
Information & Contributors
Information
Published In
October 2023
2250 pages
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Published in PACMPL Volume 7, Issue OOPSLA2
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 381Total Downloads
- Downloads (Last 12 months)381
- Downloads (Last 6 weeks)44
Reflects downloads up to 02 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in