Projects per year
Abstract
Software vulnerabilities undermine the security of applications. By blocking unused functionality, the impact of potential exploits can be reduced. While seccomp provides a solution for filtering syscalls, it requires manual implementation of filter rules for each individual application. Recent work has investigated approaches to automate this task. However, as we show, these approaches make assumptions that are not necessary or require overly time-consuming analysis.
In this paper, we propose Chestnut, an automated approach for generating strict syscall filters with lower requirements and limitations. Chestnut comprises two phases, with the first phase consisting of two static components, i.e., a compiler and a binary analyzer, that statically extract the used syscalls. The compiler-based approach of Chestnut is up to factor 73 faster than previous approaches with the same accuracy. On the binary level, our approach extends over previous ones by also applying to non-PIC binaries. An optional second phase of Chestnut is dynamic refinement to restrict the set of allowed syscalls further. We demonstrate that Chestnut on average blocks 302 syscalls (86.5 %) via the compiler and 288 (82.5 %) using the binary analysis on a set of 18 applications. Chestnut blocks the dangerous exec syscall in 50 % and 77.7 % of the tested applications using the compiler- and binary-based approach, respectively. For the tested applications, Chestnut blocks exploitation of more than 61 % of the 175 CVEs that target the kernel via syscalls.
In this paper, we propose Chestnut, an automated approach for generating strict syscall filters with lower requirements and limitations. Chestnut comprises two phases, with the first phase consisting of two static components, i.e., a compiler and a binary analyzer, that statically extract the used syscalls. The compiler-based approach of Chestnut is up to factor 73 faster than previous approaches with the same accuracy. On the binary level, our approach extends over previous ones by also applying to non-PIC binaries. An optional second phase of Chestnut is dynamic refinement to restrict the set of allowed syscalls further. We demonstrate that Chestnut on average blocks 302 syscalls (86.5 %) via the compiler and 288 (82.5 %) using the binary analysis on a set of 18 applications. Chestnut blocks the dangerous exec syscall in 50 % and 77.7 % of the tested applications using the compiler- and binary-based approach, respectively. For the tested applications, Chestnut blocks exploitation of more than 61 % of the 175 CVEs that target the kernel via syscalls.
Original language | English |
---|---|
Title of host publication | CCSW'21 - Proceedings of the 2021 Cloud Computing Security Workshop |
Pages | 139-151 |
Number of pages | 13 |
DOIs | |
Publication status | Published - 15 Nov 2021 |
Event | ACM Cloud Computing Security Workshop 2021: CCS 2021 - Virtuell, Korea, Republic of Duration: 15 Nov 2021 → 15 Nov 2021 |
Workshop
Workshop | ACM Cloud Computing Security Workshop 2021 |
---|---|
Abbreviated title | CCSW '21 |
Country/Territory | Korea, Republic of |
City | Virtuell |
Period | 15/11/21 → 15/11/21 |
Keywords
- automated syscall filtering
- linux
- seccomp
ASJC Scopus subject areas
- Computer Networks and Communications
Fingerprint
Dive into the research topics of 'Automating Seccomp Filter Generation for Linux Applications'. Together they form a unique fingerprint.Projects
- 3 Finished
-
Leakage-Free - Hardware-Software Information Flow Analysis for Leakage-Free Code Generation
1/10/18 → 30/09/20
Project: Research project
-
Espresso - Scalable hardware-secured authentication and personalization of intelligent sensor nodes
1/05/18 → 31/10/20
Project: Research project
-
Activities
- 1 Talk at conference or symposium
-
Enter Sandbox
Claudio Alberto Canella (Speaker), Mario Werner (Speaker) & Michael Schwarz (Speaker)
6 May 2021Activity: Talk or presentation › Talk at conference or symposium › Science to science
Prizes
-
CCSW 2021 - Best Paper Award
Canella, Claudio Alberto (Recipient), Werner, Mario (Recipient), Gruss, Daniel (Recipient) & Schwarz, Michael (Recipient), 15 Nov 2021
Prize: Prizes / Medals / Awards
File