TY - GEN
T1 - SysPart
T2 - 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023
AU - Rajagopalan, Vidya Lakshmi
AU - Kleftogiorgos, Konstantinos
AU - Göktaş, Enes
AU - Xu, Jun
AU - Portokalidis, Georgios
N1 - Publisher Copyright:
© 2023 Copyright held by the owner/author(s).
PY - 2023/11/15
Y1 - 2023/11/15
N2 - Restricting the system calls available to applications reduces the attack surface of the kernel and limits the functionality available to compromised applications. Recent approaches automatically identify the system calls required by programs to block unneeded ones. For servers, they even consider different phases of execution to tighten restrictions after initialization completes. However, they require access to the source code for applications and libraries, depend on users identifying when the server transitions from initialization to serving clients, or do not account for dynamically-loaded libraries. This paper introduces SysPart, an automatic system-call filtering system designed for binary-only server programs that addresses the above limitations. Using a novel algorithm that combines static and dynamic analysis, SysPart identifies the serving phases of all working threads of a server. Static analysis is used to compute the system calls required during the various serving phases in a sound manner, and dynamic observations are only used to complement static resolution of dynamically-loaded libraries when necessary. We evaluated SysPart using six popular servers on x86-64 Linux to demonstrate its effectiveness in automatically identifying serving phases, generating accurate system-call filters, and mitigating attacks. Our results show that SysPart outperforms prior binary-only approaches and performs comparably to source-code approaches.
AB - Restricting the system calls available to applications reduces the attack surface of the kernel and limits the functionality available to compromised applications. Recent approaches automatically identify the system calls required by programs to block unneeded ones. For servers, they even consider different phases of execution to tighten restrictions after initialization completes. However, they require access to the source code for applications and libraries, depend on users identifying when the server transitions from initialization to serving clients, or do not account for dynamically-loaded libraries. This paper introduces SysPart, an automatic system-call filtering system designed for binary-only server programs that addresses the above limitations. Using a novel algorithm that combines static and dynamic analysis, SysPart identifies the serving phases of all working threads of a server. Static analysis is used to compute the system calls required during the various serving phases in a sound manner, and dynamic observations are only used to complement static resolution of dynamically-loaded libraries when necessary. We evaluated SysPart using six popular servers on x86-64 Linux to demonstrate its effectiveness in automatically identifying serving phases, generating accurate system-call filters, and mitigating attacks. Our results show that SysPart outperforms prior binary-only approaches and performs comparably to source-code approaches.
KW - System-call filtering
KW - attack-surface reduction
KW - binary analysis
KW - exploit mitigation
KW - temporal
UR - http://www.scopus.com/inward/record.url?scp=85179847793&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85179847793&partnerID=8YFLogxK
U2 - 10.1145/3576915.3623207
DO - 10.1145/3576915.3623207
M3 - Conference contribution
AN - SCOPUS:85179847793
T3 - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
SP - 1979
EP - 1993
BT - CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Y2 - 26 November 2023 through 30 November 2023
ER -