Fine-grained user-space security through virtualization

Proceedings of the 2011 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2011

Volumn , Issue , 2011, Pages 157-168

  Payer, Mathias ^a   Gross, Thomas R ^a  

^a ETH ZURICH   (Switzerland)

Author keywords

Dynamic binary translation; Dynamic instrumentation; Optimization; Policy based system call authorization; Process sandboxing; Security; User space software virtualization; Virtualization

Indexed keywords

DYNAMIC BINARY TRANSLATION; DYNAMIC INSTRUMENTATION; POLICY-BASED SYSTEM CALL AUTHORIZATION; PROCESS SANDBOXING; SECURITY; USER-SPACE SOFTWARE VIRTUALIZATION; VIRTUALIZATIONS;

INSTRUMENTS; OPTIMIZATION;

INTRUSION DETECTION;

EID: 79953214068     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1952682.1952703     Document Type: Conference Paper

References (42)

1. ACHARYA, A., AND RAJE, M. MAPbox: using parameterized behavior classes to confine untrusted applications. In SSYM'OO: Proceedings of the 9th conference on USENLX Security Symposium (2000).
2. ALEXANDROV, A., KMIEC, P., AND SCHAUSER, K. Consh: Confined execution environment for internet computations, 1999.
3. BARATLOO, A., SINGH, N., AND TSAI, T. Transparent run-time defense against stack smashing attacks. In ATEC '00: Proceedings of the annual conference on USENLX Annual Technical Conference (2000).
4. BARHAM, P., DRAGOVIC, B., FRASER, K., HAND, S., HARRIS, T., HO, A., NEUGEBAUER, R., PRATT, I., AND WARFIELD, A. Xen and the art of virtualization. In SOSP '03 (New York, NY, USA, 2003), pp. 164-177.
5. BAUER, M. Paranoid penguin: an introduction to novell apparmor. Linux J 2006, 148(2006), 13.
6. BELLARD, F. QEMU, a fast and portable dynamic translator. In ATEC 05 (Berkeley, CA, USA, 2005), pp. 41-41.
7. BHATKAR, E., DUVARNEY, D. C, AND SEKAR, R. Address obfuscation: an efficient approach to combat a broad range of memory er ror exploits. In Proceedings of the 12th USENIX Security Symposium (2003), pp. 105-120.
8. BHATKAR, S., BHATKAR, E., SEKAR, R., AND DUVARNEY, D. C. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium (2005).
9. BRUENING, D., DUESTERWALD, E., AND AMARASINGHE, S. Design and implementation of a dynamic optimization framework for Windows. In ACM Workshop Feedback-directed Dyn. Opt. (FDDO-4) (2001).
10. BRUENING, D., GARNETT, T., AND AMARASINGHE, S. An infrastructure for adaptive dynamic optimization. In CGO '03 (Washington, DC, USA, 2003), pp. 265-275.
11. BUGNION, E. Dynamic binary translator with a system and method for updating and maintaining coherency of a translation cache. US Patent 6704925, March 2004.
12. COWAN, C., BARRINGER, M., BEATTIE, S., KROAH-HARTMAN, G., FRANTZEN, M., AND LOKIER, J. Formatguard: automatic protection from printf format string vulnerabilities. In SSYM'01: Proceedings of the 10th conference on USENLX Security Symposium (2001).
13. COWAN, C., BEATTIE, S., KROAH-HARTMAN, G., PU, C., WAGLE, P., AND GLIGOR, V. Subdomain: Parsimonious server security. In LISA '00: Proceedings of the 14th USENIX conference on System administration (2000).
14. COWAN, C., PU, C., MAIER, D., HINTONY, H., WALPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., AND ZHANG, Q. Stackguard: automatic adaptive detection and prevention of bufferoverflow attacks. In SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium (1998).
15. DEVINE, S. W., BUGNION, E., AND ROSENBLUM, M. Virtualization system including a virtual machine monitor for a computer with a segmented architecture. US Patent 6397242.
16. FETZER, C., AND SUESSKRAUT, M. Switchblade: enforcing dynamic personalized system call models. In Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008 (New York, NY, USA, 2008), ACM, pp. 273-286.
17. FORD, B., AND COX, R. Vx32: lightweight user-level sandboxing on the x86. In ATC'08: USENIX 2008 Annual Technical Conference on Annual Technical Conference (Berkeley, CA, USA, 2008), USENIX Association, pp. 293-306.
18. GARFINKEL, T. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proc. Network and Distributed Systems Security Symposium (2003), pp. 163-176.
19. GARFINKEL, T., PFAFF, B., AND ROSENBLUM, M. Ostia: A delegating architecture for secure system call interposition. In Proc. Network and Distributed Systems Security Symposium (February 2004).
20. GARFINKEL, T., AND ROSENBLUM, M. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium (February 2003).
21. GARG, M. Sysenter based system call mechanism in linux 2.6 (http://manugarg.googlepages.com/systemcallinlinux2-6.html).
22. GOLDBERG, I., WAGNER, D., THOMAS, R., AND BREWER, E. A. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th Usenix Security Symposium (1996).
23. HAZELWOOD, K., AND SMITH, M. D. Managing bounded code caches in dynamic binary optimization systems. TACO '063,3 (2006), 263-294.
24. HIROAKl, E., AND KUNIKAZU, Y. propolice : Improved stacksmashing attack detection. IPSJ SIG Notes 2001, 75 (2001-07-25), 181-188.
25. Ho, A., FETTERMAN, M., CLARK, C., WARFIELD, A., AND HAND, S. Practical taint-based protection using demand emulation, vol.40, pp. 29-41.
26. KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. P. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA, 2002), USENIX Association, pp. 191-206.
27. LIANG, Z., SUN, W., VENKATAKRISHNAN, V. N., AND SEKAR, R. Alcatraz: An isolated environment for experimenting with untrusted software. ACM Trans. Inf. Syst. Secur. 12, 3 (2009), 1-37.
28. LUK, C.-K., COHN, R., MUTH, R., PATIL, H., KLAUSER, A., LOWNEY, G., WALLACE, S., REDDI, V. J., AND HAZELWOOD, K. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI '05 (New York, NY, USA, 2005), pp. 190-200.
29. MCCAMANT, S., AND MORRISETT, G. Evaluating SFI for a CISC architecture. In 15th USENIX Security Symposium (Vancouver, BC, Canada, August 2-4, 2006), pp. 209-224.
30. PAX-TEAM. PaX ASLR (Address Space Layout Randomization). http://pax.grsecurity.net/docs/aslr.txt.
31. PAYER, M., AND GROSS, T. Requirements for fast binary translation. In 2nd Workshop on Architectural and Microarchitectural Support for Binary Translation (2009).
32. PAYER, M., AND GROSS, T. R. Generating low-overhead dynamic binary translators. In SYSTOR'10 (2010).
33. PROVOS, N. Improving host security with system call policies. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium (Berkeley, CA, USA, 2003), USENIX Association, pp. 18-18.
34. SCOTT, K., AND DAVIDSON, J. Strata: A software dynamic translation infrastructure. Tech. rep., Charlottesville, VA, USA, 2001.
35. SCOTT, K., AND DAVIDSON, J. Safe virtual execution using software dynamic translation. Computer Security Applications Conference, Annual 0 (2002), 209.
36. SHACHAM, H., PAGE, M., PFAFF, B., GOH, E.-J., MODADUGU, N., AND BONEH, D. On the effectiveness of address-space randomization. In CCS'04 (2004), pp. 298-307.
37. SRIDHAR, S., SHAPIRO, J. S., AND BUNGALE, P. P. HDTrans: a low-overhead dynamic translator. SIGARCH Comput. Archil News 35, 1 (2007), 135-140.
38. SRIDHAR, S., SHAPIRO, J. S., NORTHUP, E., AND BUNGALE, P. P. HDTrans: an open source, low-level dynamic instrumentation system. In VEE '06 (New York, NY, USA, 2006), pp. 175-185.
39. WAHBE, R., LUCCO, S., ANDERSON, T. E., AND GRAHAM, S. L. Efficient software-based fault isolation. In SOSP'93 (New York, NY, USA, 1993), ACM, pp. 203-216.
40. WATSON, R. N. M. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT '07: Proceedings of the first USENIX workshop on Offensive Technologies (2007).
41. WRIGHT, C., COWAN, C., SMALLEY, S., MORRIS, J., AND KROAHHARTMAN, G. Linux security modules: General security support for the linux kernel. In Proceedings of the 11th USENIX Security Symposium (2002).
42. YEE, B., SEHR, D., DARDYK, G., CHEN, J. B., MUTH, R., ORMANDY, T., OKASAKA, S., NARULA, N., AND FULLAGAR, N. Native client: A sandbox for portable, untrusted x86 native code. IEEE Symposium on Security and Privacy (2009), 79-93.