skip to main content
research-article
Open Access
Distinguished Paper

Automated policy synthesis for system call sandboxing

Published:13 November 2020Publication History
Skip Abstract Section

Abstract

System call whitelisting is a powerful sandboxing approach that can significantly reduce the capabilities of an attacker if an application is compromised. Given a policy that specifies which system calls can be invoked with what arguments, a sandboxing framework terminates any execution that violates the policy. While this mechanism greatly reduces the attack surface of a system, manually constructing these policies is time-consuming and error-prone. As a result, many applications —including those that take untrusted user input— opt not to use a system call sandbox.

Motivated by this problem, we propose a technique for automatically constructing system call whitelisting policies for a given application and policy DSL. Our method combines static code analysis and program synthesis to construct sound and precise policies that never erroneously terminate the application, while restricting the program’s system call usage as much as possible. We have implemented our approach in a tool called Abhayaand experimentally evaluate it 493 Linux and OpenBSD applications by automatically synthesizing Seccomp-bpfand Pledgepolicies. Our experimental results indicate that Abhayacan efficiently generate useful and precise sandboxes for real-world applications.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

This is a video presentation of my talk for the paper Automated Policy Synthesis for System Call Sandboxes published at Oopsla 2020 research track. I will describe Abhaya, an end to end system, which synthesizes system call whitelisting policies for applications.

References

  1. 2011. Debian Popularity Contest. https://popcon.debian.org/Google ScholarGoogle Scholar
  2. 2013. Google Cloud Platform (GCP). https://cloud.google.com/.Google ScholarGoogle Scholar
  3. 2013. Issue 329053. https://bugs.chromium.org/p/chromium/issues/detail?id= 329053Google ScholarGoogle Scholar
  4. 2015. Issue 546204. https://bugs.chromium.org/p/chromium/issues/detail?id= 546204Google ScholarGoogle Scholar
  5. 2016. Issue 662450. https://bugs.chromium.org/p/chromium/issues/detail?id= 662450Google ScholarGoogle Scholar
  6. 2017a. Issue 682488. https://bugs.chromium.org/p/chromium/issues/detail?id= 682488Google ScholarGoogle Scholar
  7. 2017b. Issue 766245. https://bugs.chromium.org/p/chromium/issues/detail?id= 766245Google ScholarGoogle Scholar
  8. Rajeev Alur, Rastislav Bodik, Garvit Juniwal, Milo MK Martin, Mukund Raghothaman, Sanjit A Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, and Abhishek Udupa. 2015. Syntax-guided synthesis. Dependable Software Systems Engineering 40 ( 2015 ), 1-25.Google ScholarGoogle Scholar
  9. A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. 2012. Automatically securing permission-based software by reducing the attack surface: an application to Android. In 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. 274-277. https://doi.org/10.1145/2351676.2351722 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon. 2014. Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android. IEEE Transactions on Software Engineering 40, 6 ( June 2014 ), 617-632. https://doi.org/10.1109/TSE. 2014.2322867 Google ScholarGoogle ScholarCross RefCross Ref
  11. Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2002. The Essence of Computation. Springer-Verlag New York, Inc., New York, NY, USA, Chapter Design and Implementation of a Special-purpose Static Program Analyzer for Safety-critical Real-time Embedded Software, 85-108. http://dl.acm.org/citation.cfm?id= 860256. 860262Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. James Bornholt, Emina Torlak, Dan Grossman, and Luis Ceze. 2016. Optimizing Synthesis with Metasketches (POPL). ACM, 775-788.Google ScholarGoogle Scholar
  13. Kees Cook. 2016. https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/Google ScholarGoogle Scholar
  14. Patrick Cousot, Radhia Cousot, and Laurent Mauborgne. 2011. The Reduced Product of Abstract Domains and the Combination of Decision Procedures. In Proceedings of the 14th International Conference on Foundations of Software Science and Computational Structures: Part of the Joint European Conferences on Theory and Practice of Software (Saarbrücken, Germany) ( FOSSACS'11/ETAPS'11). Springer-Verlag, Berlin, Heidelberg, 456-472. http://dl.acm.org/citation.cfm?id= 1987171. 1987210Google ScholarGoogle Scholar
  15. Manuvir Das, Sorin Lerner, and Mark Seigle. 2002. ESP: Path-sensitive Program Verification in Polynomial Time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (Berlin, Germany) ( PLDI '02). ACM, New York, NY, USA, 57-68. https://doi.org/10.1145/512529.512538 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Eficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (Budapest, Hungary) ( TACAS'08/ETAPS'08). Springer-Verlag, Berlin, Heidelberg, 337-340. http://dl.acm.org/citation.cfm?id= 1792734. 1792766Google ScholarGoogle ScholarCross RefCross Ref
  17. Jake Edge. 2015. A seccomp overview. Online: https://lwn.net/Articles/738694/.Google ScholarGoogle Scholar
  18. P. Feautrier. 1988. Array Expansion. In Proceedings of the 2Nd International Conference on Supercomputing (St. Malo, France) (ICS '88). ACM, New York, NY, USA, 429-441. https://doi.org/10.1145/55364.55406 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) ( CCS '11). Association for Computing Machinery, New York, NY, USA, 627-638. https://doi.org/10.1145/2046707.2046779 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Graeme Gange, Jorge A. Navas, Peter Schachte, Harald SOndergaard, and Peter J. Stuckey. 2016. An Abstract Domain of Uninterpreted Functions. In Proceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation-Volume 9583 ( St. Petersburg, FL, USA) ( VMCAI 2016 ). Springer-Verlag New York, Inc., New York, NY, USA, 85-103. https://doi.org/10.1007/978-3-662-49122-5_4 Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. E. Geay, M. Pistoia, Takaaki Tateishi, B. G. Ryder, and J. Dolby. 2009. Modular string-sensitive permission analysis with demand-driven precision. In 2009 IEEE 31st International Conference on Software Engineering. 177-187. https: //doi.org/10.1109/ICSE. 2009.5070519 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Jonathon T. Gifin, Somesh Jha, and Barton P. Miller. 2004. Eficient Context-Sensitive Intrusion Detection. In Proceedings of NDSS 2004, Mike Reiter and Dan Boneh (Eds.).Google ScholarGoogle Scholar
  23. Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A. Navas. 2015. The SeaHorn Verification Framework. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham, 343-361.Google ScholarGoogle Scholar
  24. Arie Gurfinkel and Jorge Navas. 2017. A Context-Sensitive Memory Model for Verification of C/C++ Programs. 148-168. https://doi.org/10.1007/978-3-319-66706-5_8 Google ScholarGoogle ScholarCross RefCross Ref
  25. Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining Sandboxes. In Proceedings of the 38th International Conference on Software Engineering (Austin, Texas) ( ICSE '16). Association for Computing Machinery, New York, NY, USA, 37-48. https://doi.org/10.1145/2884781.2884782 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Larry Koved, Marco Pistoia, and Aaron Kershenbaum. 2002. Access rights analysis for Java. In In ACM OOPSLA.Google ScholarGoogle Scholar
  27. Maxwell Krohn, Petros Efstathopoulos, Clif Frey, Frans Kaashoek, Eddie Kohler, David Mazières, Robert Morris, Michelle Osborne, Steve VanDeBogart, and David Ziegler. 2005. Make Least Privilege a Right (Not a Privilege). In Proceedings of the 10th Conference on Hot Topics in Operating Systems-Volume 10 ( Santa Fe, NM) (HOTOS'05). USENIX Association, Berkeley, CA, USA, 21-21. http://dl.acm.org/citation.cfm?id= 1251123. 1251144Google ScholarGoogle Scholar
  28. Lap Chung Lam and Tzi-cker Chiueh. 2004. Automatic extraction of accurate application-specific sandboxing policy. In Proceedings of RAID 2004 (LNCS, Vol. 3224 ), Erland Jonsson and Alfonso Valdes (Eds.). Springer, 1-20.Google ScholarGoogle ScholarCross RefCross Ref
  29. Lap Chung Lam, Wei Li, and Tzi-cker Chiueh. 2006. Accurate and Automated System Call Policy-Based Intrusion Prevention. In Proceedings of DSN 2006 ), Lorenzo Alvisi (Ed.). IEEE Computer Society, 413-24.Google ScholarGoogle Scholar
  30. Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (Palo Alto, California) (CGO '04). IEEE Computer Society, Washington, DC, USA, 75-. http://dl.acm.org/ citation.cfm?id= 977395. 977673Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making Context-sensitive Points-to Analysis with Heap Cloning Practical for the Real World. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (San Diego, California, USA) ( PLDI '07). ACM, New York, NY, USA, 278-289. https://doi.org/10.1145/ 1250734.1250766 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Samuel Laurén, Sampsa Rauti, and Ville Leppänen. 2017. A Survey on Application Sandboxing Techniques. In Proceedings of the 18th International Conference on Computer Systems and Technologies (Ruse, Bulgaria) ( CompSysTech'17). ACM, New York, NY, USA, 141-148. https://doi.org/10.1145/3134302.3134312 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Ravi Mangal, Mayur Naik, and Hongseok Yang. 2014. A Correspondence Between Two Approaches to Interprocedural Analysis in the Presence of Join. In Proceedings of the 23rd European Symposium on Programming Languages and Systems-Volume 8410. Springer-Verlag New York, Inc., New York, NY, USA, 513-533. https://doi.org/10.1007/978-3-642-54833-8_27 Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Bill McCarty. 2004. SELinux: NSA's Open Source Security Enhanced Linux. O'Reilly Media, Inc.Google ScholarGoogle Scholar
  35. Alex Murray. 2019. AppArmor. Online: https://wiki.ubuntu.com/AppArmor.Google ScholarGoogle Scholar
  36. Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. 2006. Anomalous System Call Detection. ACM Trans. Inf. Syst. Secur. 9, 1 (Feb. 2006 ), 61-93. https://doi.org/10.1145/1127345.1127348 Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Gleb Naumovich and Paolina Centonze. 2004. Static analysis of role-based access control in J2EE applications. ACM SIGSOFT Software Engineering Notes 29 ( 09 2004 ), 1-10. https://doi.org/10.1145/1022494.1022530 Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Neeraj Pal. 2018. Pledge: OpenBSDs defensive approach to OS Security.Google ScholarGoogle Scholar
  39. Marco Pistoia, Robert Flynn, Larry Koved, and Vugranam Sreedhar. 2005. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. Lecture Notes in Computer Science 3586, 362-386. https://doi.org/10.1007/ 11531142_16 Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Oleksandr Polozov and Sumit Gulwani. 2015. FlashMeta: A Framework for Inductive Program Synthesis. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). ACM, 107-126.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. François Pottier, Christian Skalka, and Scott Smith. 2001. A Systematic Approach to Static Access Control. In Programming Languages and Systems, David Sands (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 30-45.Google ScholarGoogle Scholar
  42. Niels Provos. 2003. Improving Host Security with System Call Policies. In Proceedings of the 12th Conference on USENIX Security Symposium-Volume 12 (Washington, DC) ( SSYM'03). USENIX Association, Berkeley, CA, USA, 18-18. http://dl.acm.org/citation.cfm?id= 1251353. 1251371Google ScholarGoogle Scholar
  43. Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In Proceedings of the 12th Conference on USENIX Security Symposium-Volume 12 (Washington, DC) ( SSYM'03). USENIX Association, Berkeley, CA, USA, 16-16. http://dl.acm.org/citation.cfm?id= 1251353. 1251369Google ScholarGoogle Scholar
  44. Zvonimir Rakamarić and Michael Emmi. 2014. SMACK: Decoupling Source Language Details from Verifier Implementations. In Computer Aided Verification, Armin Biere and Roderick Bloem (Eds.). Springer International Publishing, Cham, 106-113.Google ScholarGoogle Scholar
  45. Zvonimir Rakamarić and Alan J. Hu. 2009. A Scalable Memory Model for Low-Level Code. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (Savannah, GA) (VMCAI '09). SpringerVerlag, Berlin, Heidelberg, 290-304. https://doi.org/10.1007/978-3-540-93900-9_24 Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. J. H. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sep. 1975 ), 1278-1308. https://doi.org/10.1109/PROC. 1975.9939 Google ScholarGoogle ScholarCross RefCross Ref
  47. Sriram Sankaranarayanan, Franjo Ivančić, Ilya Shlyakhter, and Aarti Gupta. 2006. Static Analysis in Disjunctive Numerical Domains. In Proceedings of the 13th International Conference on Static Analysis (Seoul, Korea) (SAS'06). Springer-Verlag, Berlin, Heidelberg, 3-17. https://doi.org/10.1007/11823230_2 Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Steven Smalley. 2002. Configuring the SELinux Policy. NAI Labs Report (Feb. 2002 ), 7-22.Google ScholarGoogle Scholar
  49. Armando Solar-Lezama. 2008. Program synthesis by sketching. Ph.D. Dissertation.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Armando Solar-Lezama, Gilad Arnold, Liviu Tancau, Rastislav Bodik, Vijay Saraswat, and Sanjit Seshia. 2007. Sketching Stencils (PLDI). ACM, 167-178.Google ScholarGoogle Scholar
  51. Armando Solar-Lezama, Liviu Tancau, Rastislav Bodik, Sanjit Seshia, and Vijay Saraswat. 2006. Combinatorial Sketching for Finite Programs. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, 404-415.Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Arnaud Venet. 2004. A Scalable Nonuniform Pointer Analysis for Embedded Programs. In Static Analysis, Roberto Giacobazzi (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 149-164.Google ScholarGoogle Scholar
  53. David Wagner and Drew Dean. 2001. Intrusion Detection via Static Analysis. In Proceedings of IEEE Security and Privacy (“Oakland”) 2001, Roger Needham and Martin Abadi (Eds.). IEEE Computer Society, 156-68.Google ScholarGoogle ScholarCross RefCross Ref
  54. Zhiyuan Wan, David Lo, Xin Xia, and Liang Cai. 2019. Practical and efective sandboxing for Linux containers. Empirical Software Engineering (04 Jul 2019 ). https://doi.org/10.1007/s10664-019-09737-2 Google ScholarGoogle ScholarCross RefCross Ref
  55. Z. Wan, D. Lo, X. Xia, L. Cai, and S. Li. 2017. Mining Sandboxes for Linux Containers. In 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST). 92-102. https://doi.org/10.1109/ICST. 2017.16 Google ScholarGoogle ScholarCross RefCross Ref
  56. Michal Zalewski. 2014. PSA: don't run 'strings' on untrusted files (CVE-2014-8485). Online: https://lcamtuf.blogspot.com/ 2014 /10/psa-dont-run-strings-on-untrusted-files.html.Google ScholarGoogle Scholar
  57. Xin Zhang, Ravi Mangal, Mayur Naik, and Hongseok Yang. 2014. Hybrid Top-down and Bottom-up Interprocedural Analysis. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 249-258. https://doi.org/10.1145/2594291.2594328 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Automated policy synthesis for system call sandboxing

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!