Protecting against unexpected system calls

C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman

Research output: Contribution to conferencePaperpeer-review

32 Scopus citations

Abstract

This paper proposes a comprehensive set of techniques which limit the scope of remote code injection attacks. These techniques prevent any injected code from making system calls and thus restrict the capabilities of an attacker. In defending against the traditional ways of harming a system these techniques significantly raise the bar for compromising the host system forcing the attack code to take extraordinary steps that may be impractical in the context of a remote code injection attack. There are two main aspects to our approach. The first is to embed semantic information into executables identifying the locations of legitimate system call instructions; system calls from other locations are treated as intrusions. The modifications we propose are transparent to user level processes that do not wish to use them (so that, for example, it is still possible to run unmodified third-party software), and add more security at minimal cost for those binaries that have the special information present. The second is to back this up using a variety of techniques, including a novel approach to encoding system call traps into the OS kernel, in order to deter mimicry attacks. Experiments indicate that our approach is effective against a wide variety of code injection attacks.

Original languageEnglish (US)
Pages239-254
Number of pages16
StatePublished - Jan 1 2005
Event14th USENIX Security Symposium - Baltimore, United States
Duration: Jul 31 2005Aug 5 2005

Conference

Conference14th USENIX Security Symposium
CountryUnited States
CityBaltimore
Period7/31/058/5/05

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Protecting against unexpected system calls'. Together they form a unique fingerprint.

Cite this