Free Willy: Prune System Calls to Enhance Software Security
Many privilege escalation exploits on Linux abuse vulnerable system calls to threaten the system’s security. Therefore, various static and dynamic analysis based seccomp policy generation frameworks emerged. Yet, they either focus on a subset of the available binaries or are constrained by the inherent properties of dynamic, testing-based analysis, which are prone to false negatives. In this paper, we present Jesse, a static-analysis-based framework for generating seccomp policies for ELF binaries. We design and implement an abstract-interpretation-based constant propagation that helps the analyst identify vital system calls for arbitrary, non-obfuscated binaries. Using the extracted results, Jesse allows producing effective seccomp policies, reducing the system’s attack vector. To assess Jesse’s effectiveness and accuracy, we have applied our system to over 1,000 ELF binaries for Debian 10, and show that—contrary to existing solutions—Jesse produces accurate and safely approximated results, without relying on any properties of the target binaries. In addition, we conduct a case study in which we combine Jesse’s constant propagation strategy with container debloating techniques to produce seccomp policies that restrict up to five times more system calls than the Docker’s default seccomp policy on average.
Free Willy: Prune System Calls to Enhance Software Security
ACM/SIGAPP Symposium on Applied Computing (SAC)
| Authors: | Charlie Groh, Sergej Proskurin, and Apostolis Zarras |
| Year/month: | 2023/3 |
| Booktitle: | ACM/SIGAPP Symposium on Applied Computing (SAC) |
| Fulltext: |
Abstract |
|
| Many privilege escalation exploits on Linux abuse vulnerable system calls to threaten the system’s security. Therefore, various static and dynamic analysis based seccomp policy generation frameworks emerged. Yet, they either focus on a subset of the available binaries or are constrained by the inherent properties of dynamic, testing-based analysis, which are prone to false negatives. In this paper, we present Jesse, a static-analysis-based framework for generating seccomp policies for ELF binaries. We design and implement an abstract-interpretation-based constant propagation that helps the analyst identify vital system calls for arbitrary, non-obfuscated binaries. Using the extracted results, Jesse allows producing effective seccomp policies, reducing the system’s attack vector. To assess Jesse’s effectiveness and accuracy, we have applied our system to over 1,000 ELF binaries for Debian 10, and show that—contrary to existing solutions—Jesse produces accurate and safely approximated results, without relying on any properties of the target binaries. In addition, we conduct a case study in which we combine Jesse’s constant propagation strategy with container debloating techniques to produce seccomp policies that restrict up to five times more system calls than the Docker’s default seccomp policy on average. | |
Bibtex:
@inproceedings {author = { Charlie Groh and Sergej Proskurin and Apostolis Zarras},
title = { Free Willy: Prune System Calls to Enhance Software Security },
year = { 2023 },
month = { March },
booktitle = { ACM/SIGAPP Symposium on Applied Computing (SAC) },
}