國立虎尾科技大學 |

Attack Surface Reduction Through System Call Filtering.

紀錄類型:	書目-語言資料,手稿 : Monograph/item
正題名/作者:	Attack Surface Reduction Through System Call Filtering./
作者:	Ghavamnia, Seyedhamed.
面頁冊數:	1 online resource (116 pages)
附註:	Source: Dissertations Abstracts International, Volume: 84-12, Section: B.
Contained By:	Dissertations Abstracts International84-12B.
標題:	Computer science. -
電子資源:	click for full text (PQDT)
ISBN:	9798379686093

Attack Surface Reduction Through System Call Filtering.
Ghavamnia, Seyedhamed.

Attack Surface Reduction Through System Call Filtering. - 1 online resource (116 pages)

Source: Dissertations Abstracts International, Volume: 84-12, Section: B.

Thesis (Ph.D.)--State University of New York at Stony Brook, 2023.

Includes bibliographical references

Attack surface reduction through the removal of unnecessary application features and code is a promising technique for improving security without incurring any additional overhead. Applying this technique to the OS kernel can reduce the risk of privilege escalation attacks. Given that user programs mainly leverage system calls to interact with the kernel, restricting access to some system calls can potentially prevent an attacker from exploiting a vulnerability in the kernel. In this thesis, we use static analysis to identify the system call requirements of applications and containers, and prevent them from accessing those which are deemed as unnecessary by our analysis.First, we create a generic toolchain which identifies the system call requirements of libraries and programs by performing a one-time static analysis on the libc library. Using this toolchain, and aiming to provide a practical solution for the protection of arbitrary containers, we present a generic approach for the automated generation of restrictive system call policies for Docker containers. Our system, named Confine, uses this analysis to inspect the containerized application and all its dependencies, identify the superset of system calls required for the correct operation of the container, and generate a corresponding Seccomp system call policy that can be readily enforced while loading the container.Then, we present temporal system call filtering which further restricts server applications by considering their two main phases of execution, and differentiating between the system call requirements of these phases. We present novel static analysis techniques for improving the precision of extracting the application's callgraph for each execution phase, which is then used to pinpoint the system calls used in each phase. We show that requirements change throughout the lifetime of servers, and many dangerous system calls (such as execve) can be disabled after the completion of the initialization phase.Finally, we present Configuration-to-Code (C2C), a generic configuration-driven attack surface reduction technique that automatically maps configuration options to application code using static code analysis and instrumentation. C2C operates at a fine-grained level by pruning configuration-dependent conditional branches in the control flow graph, allowing the precise identification of a given configuration option's code at the basic block level. At runtime, C2C reduces the application's attack surface according to a given active configuration by filtering any system calls required exclusively by disabled features.To show the security benefit of these techniques we extract the system calls through which each previously disclosed kernel vulnerability can be exploited. Using this mapping, we extract the total number of vulnerabilities which become inaccessible due to filtering unneeded system calls by our approaches.

Electronic reproduction.
Ann Arbor, Mich. :
ProQuest,
2024

Mode of access: World Wide Web

ISBN: 9798379686093Subjects--Topical Terms:

573171
Computer science.
Subjects--Index Terms:

Attack surface reductionIndex Terms--Genre/Form:

554714
Electronic books.

Attack Surface Reduction Through System Call Filtering.
LDR:04300ntm a22003977 4500 001 1144268
005 20240531083815.5
006 m o d
007 cr mn ---uuuuu
008 250605s2023 xx obm 000 0 eng d
020 $a 9798379686093
035 $a (MiAaPQ)AAI30493895
035 $a AAI30493895
040 $a MiAaPQ $b eng $c MiAaPQ $d NTU
100 1 $a Ghavamnia, Seyedhamed. $3 1469239
245 1 0 $a Attack Surface Reduction Through System Call Filtering.
264 0 $c 2023
300 $a 1 online resource (116 pages)
336 $a text $b txt $2 rdacontent
337 $a computer $b c $2 rdamedia
338 $a online resource $b cr $2 rdacarrier
500 $a Source: Dissertations Abstracts International, Volume: 84-12, Section: B.
500 $a Advisor: Polychronakis, Michalis.
502 $a Thesis (Ph.D.)--State University of New York at Stony Brook, 2023.
504 $a Includes bibliographical references
520 $a Attack surface reduction through the removal of unnecessary application features and code is a promising technique for improving security without incurring any additional overhead. Applying this technique to the OS kernel can reduce the risk of privilege escalation attacks. Given that user programs mainly leverage system calls to interact with the kernel, restricting access to some system calls can potentially prevent an attacker from exploiting a vulnerability in the kernel. In this thesis, we use static analysis to identify the system call requirements of applications and containers, and prevent them from accessing those which are deemed as unnecessary by our analysis.First, we create a generic toolchain which identifies the system call requirements of libraries and programs by performing a one-time static analysis on the libc library. Using this toolchain, and aiming to provide a practical solution for the protection of arbitrary containers, we present a generic approach for the automated generation of restrictive system call policies for Docker containers. Our system, named Confine, uses this analysis to inspect the containerized application and all its dependencies, identify the superset of system calls required for the correct operation of the container, and generate a corresponding Seccomp system call policy that can be readily enforced while loading the container.Then, we present temporal system call filtering which further restricts server applications by considering their two main phases of execution, and differentiating between the system call requirements of these phases. We present novel static analysis techniques for improving the precision of extracting the application's callgraph for each execution phase, which is then used to pinpoint the system calls used in each phase. We show that requirements change throughout the lifetime of servers, and many dangerous system calls (such as execve) can be disabled after the completion of the initialization phase.Finally, we present Configuration-to-Code (C2C), a generic configuration-driven attack surface reduction technique that automatically maps configuration options to application code using static code analysis and instrumentation. C2C operates at a fine-grained level by pruning configuration-dependent conditional branches in the control flow graph, allowing the precise identification of a given configuration option's code at the basic block level. At runtime, C2C reduces the application's attack surface according to a given active configuration by filtering any system calls required exclusively by disabled features.To show the security benefit of these techniques we extract the system calls through which each previously disclosed kernel vulnerability can be exploited. Using this mapping, we extract the total number of vulnerabilities which become inaccessible due to filtering unneeded system calls by our approaches.
533 $a Electronic reproduction. $b Ann Arbor, Mich. : $c ProQuest, $d 2024
538 $a Mode of access: World Wide Web
650 4 $a Computer science. $3 573171
650 4 $a Statistics. $3 556824
650 4 $a Information technology. $3 559429
653 $a Attack surface reduction
653 $a Software security
653 $a System security
653 $a OS kernel
653 $a C2C
655 7 $a Electronic books. $2 local $3 554714
690 $a 0984
690 $a 0489
690 $a 0463
710 2 $a ProQuest Information and Learning Co. $3 1178819
710 2 $a State University of New York at Stony Brook. $b Computer Science. $3 1180378
773 0 $t Dissertations Abstracts International $g 84-12B.
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=30493895 $z click for full text (PQDT)