Title :
Authenticated system calls
Author :
Rajagopalan, Mohan ; Hiltunen, Matti ; Jim, Trevor ; Schlichting, Richard
Author_Institution :
Dept. of Comput. Sci., Arizona Univ., Tucson, AZ, USA
fDate :
28 June-1 July 2005
Abstract :
System call monitoring is a technique for detecting and controlling compromised applications by checking at runtime that each system call conforms to a policy that specifies the program´s normal behavior. A new approach to system call monitoring based on authenticated system calls is introduced. An authenticated system call is a system call augmented with extra arguments that specify the policy for that call and a cryptographic message authentication code (MAC) that guarantees the integrity of the policy and the system call arguments. This extra information is used by the kernel to verify the system call. The version of the application in which regular system calls have been replaced by authenticated calls is generated automatically by an installer program that reads the application binary, uses static analysis to generate policies, and then rewrites the binary with the authenticated calls. This paper presents the approach, describes a prototype implementation based on Linux and the PLTO binary rewriting system, and gives experimental results suggesting that the approach is effective in protecting against compromised applications at modest cost.
Keywords :
Linux; cryptography; data integrity; formal verification; message authentication; program compilers; program diagnostics; rewriting systems; Linux; binary rewriting system; cryptographic message authentication code; data integrity; static analysis; system call argument; system call authentication; system call monitor; system call verification; Application software; Computer science; Computerized monitoring; Control systems; Costs; Cryptography; Kernel; Message authentication; Protection; Prototypes; Intrusion tolerance; compiler techniques; operating systems; sandboxing; security policy;
Conference_Titel :
Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on
Print_ISBN :
0-7695-2282-3
DOI :
10.1109/DSN.2005.23