skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: SysXCHG: Refining Privilege with Adaptive System Call Filters
We present the design, implementation, and evaluation of SysXCHG: a system call (syscall) filtering enforcement mechanism that enables programs to run in accordance with the principle of least privilege. In contrast to the current, hierarchical design of seccomp-BPF, which does not allow a program to run with a different set of allowed syscalls than its descendants, SysXCHG enables applications to run with "tight" syscall filters, uninfluenced by any future-executed (sub-)programs, by allowing filters to be dynamically exchanged at runtime during execve[at]. As a part of SysXCHG, we also present xfilter: a mechanism for fast filtering using a process-specific view of the kernel's syscall table where filtering is performed. In our evaluation of SysXCHG, we found that our filter exchanging design is performant, incurring ≤= 1.71% slowdown on real-world programs in the PaSH benchmark suite, as well as effective, blocking vast amounts of extraneous functionality, including security-critical syscalls, which the current design of seccomp-BPF is unable to.  more » « less
Award ID(s):
2238467
PAR ID:
10505379
Author(s) / Creator(s):
; ;
Publisher / Repository:
ACM
Date Published:
Journal Name:
Proceedings of the ACM Conference on Computer and Communications Security
ISSN:
1543-7221
ISBN:
9798400700507
Page Range / eLocation ID:
1964 to 1978
Subject(s) / Keyword(s):
Attack surface reduction, system call filtering, adaptive filtering
Format(s):
Medium: X
Location:
Copenhagen Denmark
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; (, Proceedings of the 32nd USENIX Security Symposium (USENIX 2023))
    As control-flow protection techniques are widely deployed, it is difficult for attackers to modify control data, like function pointers, to hijack program control flow. Instead, data-only attacks corrupt security-critical non-control data (critical data), and can bypass all control-flow protections to revive severe attacks. Previous works have explored various methods to help construct or prevent data-only attacks. However, no solution can automatically detect program-specific critical data. In this paper, we identify an important category of critical data, syscall-guard variables, and propose a set of solutions to automatically detect such variables in a scalable manner. Syscall-guard variables determine to invoke security-related system calls (syscalls), and altering them will allow attackers to request extra privileges from the operating system. We propose branch force, which intentionally flips every conditional branch during the execution and checks whether new security-related syscalls are invoked. If so, we conduct data-flow analysis to estimate the feasibility to flip such branches through common memory errors. We build a tool, VIPER, to implement our ideas. VIPER successfully detects 34 previously unknown syscall-guard variables from 13 programs. We build four new data-only attacks on sqlite and v8, which execute arbitrary command or delete arbitrary file. VIPER completes its analysis within five minutes for most programs, showing its practicality for spotting syscall-guard variables. 
    more » « less
  2. ; ; (, Proceedings of the USENIX Annual Technical Conference)
    The OS kernel is at the forefront of a system's security. Therefore, its own security is crucial for the correctness and integrity of user applications. With a plethora of bugs continuously discovered in OS kernel code, defenses and mitigations are essential for practical kernel security. One important defense strategy is to isolate user-controlled memory from kernel-accessible memory, in order to mitigate attacks like ret2usr and ret2dir. We present EPF (Evil Packet Filter): a new method for bypassing various (both deployed and proposed) kernel isolation techniques by abusing the BPF infrastructure of the Linux kernel: i.e., by leveraging BPF code, provided by unprivileged users/programs, as attack payloads. We demonstrate two different EPF instances, namely BPF-Reuse and BPF-ROP, which utilize malicious BPF payloads to mount privilege escalation attacks in both 32- and 64-bit x86 platforms. We also present the design, implementation, and evaluation of a set of defenses to enforce the isolation between BPF instructions and benign kernel data, and the integrity of BPF program execution, effectively providing protection against EPF-based attacks. Our implemented defenses show minimal overhead (<3%) in BPF-heavy tasks. 
    more » « less
  3. ; ; (, International journal of microwave and wireless technologies)
    The design of mixed-technology quasi-reflectionless planar bandpass filters (BPFs), bandstop filters (BSFs), and multi-band filters is reported. The proposed quasi-reflectionless filter architectures comprise a main filtering section that determines the power transmission response (bandpass, bandstop, or multi-band type) of the overall circuit network and auxiliary sections that absorb the reflected radio-frequency (RF) signal energy. By loading the input and output ports of the main filtering section with auxiliary filtering sections that exhibit a complementary transfer function with regard to the main one, a symmetric quasi-reflectionless behavior can be obtained at both accesses of the overall filter. The operating principles of the proposed filter concept are shown through synthesized first-order BPF and BSF designs. Selectivity-increase techniques are also described. They are based on: (i) cascading in-series multiple first-order stages and (ii) increasing the order of the filtering sections. Moreover, the RF design of quasi-reflectionless multi-band BPFs and BSFs is discussed. A hybrid integration scheme in which microstrip-type and lumped-elements are effectively combined within the filter volume is investigated for size miniaturization purposes. For experimental validation purposes, two quasi-reflectionless BPF prototypes (one- and two-stage architectures) centered at 2 GHz and a second-order BSF prototype centered at 1 GHz were designed, manufactured, and measured. 
    more » « less
  4. ; ; (, IEEE Transactions on Microwave Theory and Techniques)
    A coupling-matrix approach for the theoretical design of a type of input-reflectionless RF/microwave bandpass filters (BPFs) and bandstop filters (BSFs) is presented. They are based on diplexer architectures with arbitrary-order bandpass and bandstop filtering channels that feature complementary transfer functions. The transmission behavior of these reflectionless filters is defined by the channel that is not loaded at its output, whereas the input-signal energy that is not transmitted by this branch is completely dissipated by the loading resistor of the other channel. Analytical formulas for the coupling coefficients for the first-to-fourth-order filter designs are provided and validated through several synthesis examples. This theoretical design methodology, along with an optimization step, is also exploited to design input-quasi-reflectionless quasielliptic- type BPFs with a transmission-zero-(TZ)-generation cell in their bandpass filtering channel. In addition, the application of the proposed input-reflectionless BPF and BSF networks to input-quasi-reflectionless multiplexer design is approached. It is shown that a single resistively terminated multi-band BSF branch can absorb the input-signal energy not transmitted by the multiplexer channels in their common stopband regions to achieve quasi-reflectionless characteristics at its input. Moreover, experimental microstrip prototypes consisting of 2-GHz third-order BPF and BSF circuits, a 2-GHz sharp-rejection thirdorder BPF with two close-to-passband TZs, and a second-order diplexer device with channels centered at 1.75 and 2.1 GHz are developed and measured. 
    more » « less
  5. ; ; (, ACM)
    Kernel use-after-free (UAF) bugs are severe threats to system security due to their complex root causes and high exploitability. We find that 36.1% of recent kernel UAF bugs are caused by improper uses of reference counters, dubbed refcount-related UAF bugs. Current kernel fuzzing tools based on code coverage can detect common memory errors, but none of them is aware of the root cause. As a consequence, they only trigger refcount-related UAF bugs passively and coincidentally, and may miss many deep hidden vulnerabilities. To actively trigger refcount-related UAF bugs, in this paper, we propose CountDown, a novel refcount-guided kernel fuzzer. CountDown collects diverse refcount operations from kernel executions and reshapes syscall relations based on commonly accessed refcounts. When generating user-space programs, CountDown prefers to combine syscalls that ever access the same refcounts, aiming to trigger complex refcount behaviors. It also injects refcount-decreasing and refcount-accessing syscalls to intentionally free the refcounted object and trigger invalid accesses through dangling pointers. We test CountDown on mainstream Linux kernels and compare it with popular fuzzers. On average, our tool can detect 66.1% more UAF bugs and 32.9% more KASAN reports than state-of-the-art tools. CountDown has found nine new kernel memory bugs, where two are fixed and one is confirmed. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email