Exploring automated system call sandbox policy generation
Investigating and comparing static and dynamic analysis approaches to generate system call policies
More Info
expand_more
Abstract
System call sandboxing is the idea to restrict the set of system calls an application is able to invoke.
This reduces the attack surface available to an attacker exploiting the binary, and adheres to the principle of least privilege, giving entities the minimum required permissions needed to perform their function.
The key goal is to automatically identify which system calls to block, since it is a complex, manual task requiring great insight into the program and its dependencies.
This paper investigates and compares various static analysis based solutions in this field, such as sysfilter [3], Confine [5] and Chestnut [2], by measuring their accuracy and analysis time. Furthermore a simple dynamic analysis based solution is created for the sake of comparison with the previously mentioned tools. The tools are evaluated on a small set of commonly used Linux applications, such as ls, sqlite and Redis, and the results are reported.
In addition to the aforementioned tools, temporal specialization [6], a solution which considers multiple execution phases is also investigated and compared with a purely dynamic analysis solution having support for multiple phases of execution.
The research shows that although dynamic analysis underapproximates the set of required system calls it can adapt to a custom usage profile.
Additionally, although static analysis is slower and more complex, the research explores areas of improvement such as precomputing or multiple threads.