Over the years, applications increased in size and complexity, and with that also the number of vulnerabilities. Both industry and academia have proposed countermeasures to harden applications against potential attacks. For instance, control-flow integrity (CFI) tries to limit control-flow transfers within an application to transfers that are possible based on the program source code. Unfortunately, such countermeasures only work within one security domain, e.g., only on the userspace level. Once they are circumvented, an attacker can arbitrarily interact with other domains, such as the kernel.
This talk presents our concept of syscall-flow-integrity protection (SFIP), limiting the control flow across security domains, i.e., user-to-kernel transfers. By design, it is fully compatible with CFI and enhances the system's security in case that CFI is circumvented. SFIP relies on three pillars: syscall sequences that model the control flow of the application, syscall origins that map syscalls to the locations at which they can be invoked, and efficient enforcement of the information by the operating system. We identify 3 challenges in the extraction of the syscall sequences and origins, e.g., a non-bijective mapping between syscalls and syscall locations. We demonstrate a proof-of-concept implementation, called SysFlow, that solves these challenges and allows for automated syscall-flow-integrity protection of large-scale real-world applications with a runtime overhead of only 1.8%. To demonstrate that SFIP is a viable approach to reduce the attack surface of applications, we discuss how it increases the complexity of control-flow-hijacking and mimicry attacks and demonstrate how it can mitigate a real-world attack. Finally, we analyze syscall sequences and origins of several real-world applications, effectively demonstrating an attack surface reduction of 90.9% compared to no protection being applied.