Litcius/Paper detail

Automated policy synthesis for system call sandboxing

Shankara Pailoor, Xinyu Wang, Hovav Shacham, Işıl Dillig

2020Proceedings of the ACM on Programming Languages23 citationsDOIOpen Access PDF

Abstract

System call whitelisting is a powerful sandboxing approach that can significantly reduce the capabilities of an attacker if an application is compromised. Given a policy that specifies which system calls can be invoked with what arguments, a sandboxing framework terminates any execution that violates the policy. While this mechanism greatly reduces the attack surface of a system, manually constructing these policies is time-consuming and error-prone. As a result, many applications —including those that take untrusted user input— opt not to use a system call sandbox. Motivated by this problem, we propose a technique for automatically constructing system call whitelisting policies for a given application and policy DSL. Our method combines static code analysis and program synthesis to construct sound and precise policies that never erroneously terminate the application, while restricting the program’s system call usage as much as possible. We have implemented our approach in a tool called Abhayaand experimentally evaluate it 493 Linux and OpenBSD applications by automatically synthesizing Seccomp-bpfand Pledgepolicies. Our experimental results indicate that Abhayacan efficiently generate useful and precise sandboxes for real-world applications.

Topics & Concepts

Sandbox (software development)Computer scienceSystem callConstruct (python library)Attack surfaceOperating systemCode (set theory)Digital subscriber lineProgramming languageComputer networkSet (abstract data type)Advanced Malware Detection TechniquesSecurity and Verification in ComputingSoftware Testing and Debugging Techniques
Automated policy synthesis for system call sandboxing | Litcius