Presented at
Black Hat Asia 2021 Virtual,
May 6, 2021, 2:20 p.m.
(40 minutes).
<div><span>Applications are growing ever more complex, leading to an increase in exploitable vulnerabilities. One efficient method for mitigating potential attacks is the use of application sandboxing. The idea behind sandboxing is to constrain software within a tightly controlled environment. Linux provides seccomp filtering to restrict the system calls an application can execute. However, it requires an application developer to extract the system calls from the application manually, and to set up the resulting filters correctly.</span></div><div><span><br><br></span></div><div><span>We investigate the challenges of automatically generating seccomp filters for an application. Based on this evaluation, we propose a new approach for automatically generating seccomp filters for Linux applications on both x86_64 and ARMv8. This new approach consists of two phases with a total of three distinct components, i.e., a static analysis phase with two components and an optional refinement phase with one component. We implement our approach as a compiler extension and a standalone tool. The compiler extension performs static code analysis to identify the system calls an application uses. The standalone tool can be applied to already existing binaries to allow sandboxing without having access to the source code. A dynamic refinement tool can be used during development to either identify system calls that were missed by the static component used in phase one or to further reduce the number of allowed system calls. In general, all three components can be combined to alleviate the potential shortcomings of an individual component. We show the effectiveness of our new approach in preventing real-world exploits with only minimal overhead.</span></div>
Presenters:
-
Claudio Canella
- PhD Candidate, Graz University of Technology
Claudio Canella is an InfoSec PhD candidate at Graz University of Technology. His research focuses on microarchitectural side-channel attacks and system security. He has presented his research at conferences like Black Hat Asia 2019 and 2020, 35th Chaos Communication Congress, Usenix Security 2019, and AsiaCCS 2020.
-
Mario Werner
- Postdoctoral Researcher, Graz University of Technology
Mario Werner is currently a hardware design engineer at NXP Semiconductors and works on the hardening and implementation of security IPs. Before that, he worked as a security researcher in the Secure Systems (SESYS) group of IAIK at Graz University of Technology. Mario's main research topics are modifications and extensions of processors that protect general-purpose computing architectures in strong physical attack scenarios (e.g., fault and side-channel attacks). To ease the adoption of the developed countermeasures and techniques, additionally, software support in the form of toolchain integration (e.g., LLVM) plays a major role in his research activities. Mario received his PhD degree in computer science and MSc degree in computer engineering from Graz University of Technology in 2014 and 2020, respectively.
-
Michael Schwarz
- Faculty, Helmholtz Center for Information Security (CISPA)
Michael Schwarz is Faculty at the CISPA Helmholtz Center for Information Security in Saarbruecken, Germany, with a focus on microarchitectural side-channel attacks and system security. He obtained his PhD with the title "Software-based Side-Channel Attacks and Defenses in Restricted Environments" in 2019 from Graz University of Technology. He holds two master's degrees, one in computer science and one in software engineering with a strong focus on security. He is a regular speaker at both academic and hacker conferences (7 times Black Hat, CCC, Blue Hat, etc.). He was part of one of the research teams that found the Meltdown, Spectre, Fallout, LVI, and PLATYPUS vulnerabilities, as well as the ZombieLoad vulnerability. He was also part of the KAISER patch, the basis for Meltdown countermeasures now deployed in every modern operating system under names such as KPTI or KVA Shadow.
Links:
Similar Presentations: