Abstract
System call whitelisting is a powerful sandboxing approach that can significantly reduce the capabilities of an attacker if an application is compromised. Given a policy that specifies which system calls can be invoked with what arguments, a sandboxing framework terminates any execution that violates the policy. While this mechanism greatly reduces the attack surface of a system, manually constructing these policies is time-consuming and error-prone. As a result, many applications —including those that take untrusted user input— opt not to use a system call sandbox.
Motivated by this problem, we propose a technique for automatically constructing system call whitelisting policies for a given application and policy DSL. Our method combines static code analysis and program synthesis to construct sound and precise policies that never erroneously terminate the application, while restricting the program’s system call usage as much as possible. We have implemented our approach in a tool called Abhayaand experimentally evaluate it 493 Linux and OpenBSD applications by automatically synthesizing Seccomp-bpfand Pledgepolicies. Our experimental results indicate that Abhayacan efficiently generate useful and precise sandboxes for real-world applications.
Supplemental Material
- 2011. Debian Popularity Contest. https://popcon.debian.org/Google Scholar
- 2013. Google Cloud Platform (GCP). https://cloud.google.com/.Google Scholar
- 2013. Issue 329053. https://bugs.chromium.org/p/chromium/issues/detail?id= 329053Google Scholar
- 2015. Issue 546204. https://bugs.chromium.org/p/chromium/issues/detail?id= 546204Google Scholar
- 2016. Issue 662450. https://bugs.chromium.org/p/chromium/issues/detail?id= 662450Google Scholar
- 2017a. Issue 682488. https://bugs.chromium.org/p/chromium/issues/detail?id= 682488Google Scholar
- 2017b. Issue 766245. https://bugs.chromium.org/p/chromium/issues/detail?id= 766245Google Scholar
- Rajeev Alur, Rastislav Bodik, Garvit Juniwal, Milo MK Martin, Mukund Raghothaman, Sanjit A Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, and Abhishek Udupa. 2015. Syntax-guided synthesis. Dependable Software Systems Engineering 40 ( 2015 ), 1-25.Google Scholar
- A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. 2012. Automatically securing permission-based software by reducing the attack surface: an application to Android. In 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. 274-277. https://doi.org/10.1145/2351676.2351722 Google Scholar
Digital Library
- A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon. 2014. Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android. IEEE Transactions on Software Engineering 40, 6 ( June 2014 ), 617-632. https://doi.org/10.1109/TSE. 2014.2322867 Google Scholar
Cross Ref
- Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2002. The Essence of Computation. Springer-Verlag New York, Inc., New York, NY, USA, Chapter Design and Implementation of a Special-purpose Static Program Analyzer for Safety-critical Real-time Embedded Software, 85-108. http://dl.acm.org/citation.cfm?id= 860256. 860262Google Scholar
Digital Library
- James Bornholt, Emina Torlak, Dan Grossman, and Luis Ceze. 2016. Optimizing Synthesis with Metasketches (POPL). ACM, 775-788.Google Scholar
- Kees Cook. 2016. https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/Google Scholar
- Patrick Cousot, Radhia Cousot, and Laurent Mauborgne. 2011. The Reduced Product of Abstract Domains and the Combination of Decision Procedures. In Proceedings of the 14th International Conference on Foundations of Software Science and Computational Structures: Part of the Joint European Conferences on Theory and Practice of Software (Saarbrücken, Germany) ( FOSSACS'11/ETAPS'11). Springer-Verlag, Berlin, Heidelberg, 456-472. http://dl.acm.org/citation.cfm?id= 1987171. 1987210Google Scholar
- Manuvir Das, Sorin Lerner, and Mark Seigle. 2002. ESP: Path-sensitive Program Verification in Polynomial Time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany) ( PLDI '02). ACM, New York, NY, USA, 57-68. https://doi.org/10.1145/512529.512538 Google Scholar
Digital Library
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Eficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (Budapest, Hungary) ( TACAS'08/ETAPS'08). Springer-Verlag, Berlin, Heidelberg, 337-340. http://dl.acm.org/citation.cfm?id= 1792734. 1792766Google Scholar
Cross Ref
- Jake Edge. 2015. A seccomp overview. Online: https://lwn.net/Articles/738694/.Google Scholar
- P. Feautrier. 1988. Array Expansion. In Proceedings of the 2Nd International Conference on Supercomputing (St. Malo, France) (ICS '88). ACM, New York, NY, USA, 429-441. https://doi.org/10.1145/55364.55406 Google Scholar
Digital Library
- Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) ( CCS '11). Association for Computing Machinery, New York, NY, USA, 627-638. https://doi.org/10.1145/2046707.2046779 Google Scholar
Digital Library
- Graeme Gange, Jorge A. Navas, Peter Schachte, Harald SOndergaard, and Peter J. Stuckey. 2016. An Abstract Domain of Uninterpreted Functions. In Proceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation-Volume 9583 ( St. Petersburg, FL, USA) ( VMCAI 2016 ). Springer-Verlag New York, Inc., New York, NY, USA, 85-103. https://doi.org/10.1007/978-3-662-49122-5_4 Google Scholar
Digital Library
- E. Geay, M. Pistoia, Takaaki Tateishi, B. G. Ryder, and J. Dolby. 2009. Modular string-sensitive permission analysis with demand-driven precision. In 2009 IEEE 31st International Conference on Software Engineering. 177-187. https: //doi.org/10.1109/ICSE. 2009.5070519 Google Scholar
Digital Library
- Jonathon T. Gifin, Somesh Jha, and Barton P. Miller. 2004. Eficient Context-Sensitive Intrusion Detection. In Proceedings of NDSS 2004, Mike Reiter and Dan Boneh (Eds.).Google Scholar
- Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A. Navas. 2015. The SeaHorn Verification Framework. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham, 343-361.Google Scholar
- Arie Gurfinkel and Jorge Navas. 2017. A Context-Sensitive Memory Model for Verification of C/C++ Programs. 148-168. https://doi.org/10.1007/978-3-319-66706-5_8 Google Scholar
Cross Ref
- Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining Sandboxes. In Proceedings of the 38th International Conference on Software Engineering (Austin, Texas) ( ICSE '16). Association for Computing Machinery, New York, NY, USA, 37-48. https://doi.org/10.1145/2884781.2884782 Google Scholar
Digital Library
- Larry Koved, Marco Pistoia, and Aaron Kershenbaum. 2002. Access rights analysis for Java. In In ACM OOPSLA.Google Scholar
- Maxwell Krohn, Petros Efstathopoulos, Clif Frey, Frans Kaashoek, Eddie Kohler, David Mazières, Robert Morris, Michelle Osborne, Steve VanDeBogart, and David Ziegler. 2005. Make Least Privilege a Right (Not a Privilege). In Proceedings of the 10th Conference on Hot Topics in Operating Systems-Volume 10 ( Santa Fe, NM) (HOTOS'05). USENIX Association, Berkeley, CA, USA, 21-21. http://dl.acm.org/citation.cfm?id= 1251123. 1251144Google Scholar
- Lap Chung Lam and Tzi-cker Chiueh. 2004. Automatic extraction of accurate application-specific sandboxing policy. In Proceedings of RAID 2004 (LNCS, Vol. 3224 ), Erland Jonsson and Alfonso Valdes (Eds.). Springer, 1-20.Google Scholar
Cross Ref
- Lap Chung Lam, Wei Li, and Tzi-cker Chiueh. 2006. Accurate and Automated System Call Policy-Based Intrusion Prevention. In Proceedings of DSN 2006 ), Lorenzo Alvisi (Ed.). IEEE Computer Society, 413-24.Google Scholar
- Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (Palo Alto, California) (CGO '04). IEEE Computer Society, Washington, DC, USA, 75-. http://dl.acm.org/ citation.cfm?id= 977395. 977673Google Scholar
Digital Library
- Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making Context-sensitive Points-to Analysis with Heap Cloning Practical for the Real World. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (San Diego, California, USA) ( PLDI '07). ACM, New York, NY, USA, 278-289. https://doi.org/10.1145/ 1250734.1250766 Google Scholar
Digital Library
- Samuel Laurén, Sampsa Rauti, and Ville Leppänen. 2017. A Survey on Application Sandboxing Techniques. In Proceedings of the 18th International Conference on Computer Systems and Technologies (Ruse, Bulgaria) ( CompSysTech'17). ACM, New York, NY, USA, 141-148. https://doi.org/10.1145/3134302.3134312 Google Scholar
Digital Library
- Ravi Mangal, Mayur Naik, and Hongseok Yang. 2014. A Correspondence Between Two Approaches to Interprocedural Analysis in the Presence of Join. In Proceedings of the 23rd European Symposium on Programming Languages and Systems-Volume 8410. Springer-Verlag New York, Inc., New York, NY, USA, 513-533. https://doi.org/10.1007/978-3-642-54833-8_27 Google Scholar
Digital Library
- Bill McCarty. 2004. SELinux: NSA's Open Source Security Enhanced Linux. O'Reilly Media, Inc.Google Scholar
- Alex Murray. 2019. AppArmor. Online: https://wiki.ubuntu.com/AppArmor.Google Scholar
- Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. 2006. Anomalous System Call Detection. ACM Trans. Inf. Syst. Secur. 9, 1 (Feb. 2006 ), 61-93. https://doi.org/10.1145/1127345.1127348 Google Scholar
Digital Library
- Gleb Naumovich and Paolina Centonze. 2004. Static analysis of role-based access control in J2EE applications. ACM SIGSOFT Software Engineering Notes 29 ( 09 2004 ), 1-10. https://doi.org/10.1145/1022494.1022530 Google Scholar
Digital Library
- Neeraj Pal. 2018. Pledge: OpenBSDs defensive approach to OS Security.Google Scholar
- Marco Pistoia, Robert Flynn, Larry Koved, and Vugranam Sreedhar. 2005. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. Lecture Notes in Computer Science 3586, 362-386. https://doi.org/10.1007/ 11531142_16 Google Scholar
Digital Library
- Oleksandr Polozov and Sumit Gulwani. 2015. FlashMeta: A Framework for Inductive Program Synthesis. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). ACM, 107-126.Google Scholar
Digital Library
- François Pottier, Christian Skalka, and Scott Smith. 2001. A Systematic Approach to Static Access Control. In Programming Languages and Systems, David Sands (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 30-45.Google Scholar
- Niels Provos. 2003. Improving Host Security with System Call Policies. In Proceedings of the 12th Conference on USENIX Security Symposium-Volume 12 (Washington, DC) ( SSYM'03). USENIX Association, Berkeley, CA, USA, 18-18. http://dl.acm.org/citation.cfm?id= 1251353. 1251371Google Scholar
- Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In Proceedings of the 12th Conference on USENIX Security Symposium-Volume 12 (Washington, DC) ( SSYM'03). USENIX Association, Berkeley, CA, USA, 16-16. http://dl.acm.org/citation.cfm?id= 1251353. 1251369Google Scholar
- Zvonimir Rakamarić and Michael Emmi. 2014. SMACK: Decoupling Source Language Details from Verifier Implementations. In Computer Aided Verification, Armin Biere and Roderick Bloem (Eds.). Springer International Publishing, Cham, 106-113.Google Scholar
- Zvonimir Rakamarić and Alan J. Hu. 2009. A Scalable Memory Model for Low-Level Code. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (Savannah, GA) (VMCAI '09). SpringerVerlag, Berlin, Heidelberg, 290-304. https://doi.org/10.1007/978-3-540-93900-9_24 Google Scholar
Digital Library
- J. H. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sep. 1975 ), 1278-1308. https://doi.org/10.1109/PROC. 1975.9939 Google Scholar
Cross Ref
- Sriram Sankaranarayanan, Franjo Ivančić, Ilya Shlyakhter, and Aarti Gupta. 2006. Static Analysis in Disjunctive Numerical Domains. In Proceedings of the 13th International Conference on Static Analysis (Seoul, Korea) (SAS'06). Springer-Verlag, Berlin, Heidelberg, 3-17. https://doi.org/10.1007/11823230_2 Google Scholar
Digital Library
- Steven Smalley. 2002. Configuring the SELinux Policy. NAI Labs Report (Feb. 2002 ), 7-22.Google Scholar
- Armando Solar-Lezama. 2008. Program synthesis by sketching. Ph.D. Dissertation.Google Scholar
Digital Library
- Armando Solar-Lezama, Gilad Arnold, Liviu Tancau, Rastislav Bodik, Vijay Saraswat, and Sanjit Seshia. 2007. Sketching Stencils (PLDI). ACM, 167-178.Google Scholar
- Armando Solar-Lezama, Liviu Tancau, Rastislav Bodik, Sanjit Seshia, and Vijay Saraswat. 2006. Combinatorial Sketching for Finite Programs. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, 404-415.Google Scholar
Digital Library
- Arnaud Venet. 2004. A Scalable Nonuniform Pointer Analysis for Embedded Programs. In Static Analysis, Roberto Giacobazzi (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 149-164.Google Scholar
- David Wagner and Drew Dean. 2001. Intrusion Detection via Static Analysis. In Proceedings of IEEE Security and Privacy (“Oakland”) 2001, Roger Needham and Martin Abadi (Eds.). IEEE Computer Society, 156-68.Google Scholar
Cross Ref
- Zhiyuan Wan, David Lo, Xin Xia, and Liang Cai. 2019. Practical and efective sandboxing for Linux containers. Empirical Software Engineering (04 Jul 2019 ). https://doi.org/10.1007/s10664-019-09737-2 Google Scholar
Cross Ref
- Z. Wan, D. Lo, X. Xia, L. Cai, and S. Li. 2017. Mining Sandboxes for Linux Containers. In 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST). 92-102. https://doi.org/10.1109/ICST. 2017.16 Google Scholar
Cross Ref
- Michal Zalewski. 2014. PSA: don't run 'strings' on untrusted files (CVE-2014-8485). Online: https://lcamtuf.blogspot.com/ 2014 /10/psa-dont-run-strings-on-untrusted-files.html.Google Scholar
- Xin Zhang, Ravi Mangal, Mayur Naik, and Hongseok Yang. 2014. Hybrid Top-down and Bottom-up Interprocedural Analysis. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 249-258. https://doi.org/10.1145/2594291.2594328 Google Scholar
Digital Library
Index Terms
Automated policy synthesis for system call sandboxing
Recommendations
Sandboxing and Virtualization: Modern Tools for Combating Malware
It's more likely that you will infect yourself with malware via your browser or a PDF document than any other way, including hackers trying to break onto your network. Underground economies in spam, adware, identity theft and banking fraud are driving ...
Translating Security Policy to Executable Code for Sandboxing Linux Kernel
EMS '09: Proceedings of the 2009 Third UKSim European Symposium on Computer Modeling and SimulationModel based intrusion detection mechanisms have produced encouraging results for reduced false alarms. This paper extends our earlier work, where we reported for sandboxing Linux 2.6 using code generated from policies. Here we pursue the problem of code ...
System Call Monitoring Using Authenticated System Calls
System call monitoring is a technique for detecting and controlling compromised applications by checking at runtime that each system call conforms to a policy that specifies the program's normal behavior. Here, we introduce a new approach to ...






Comments