Attack surface reduction for commodity OS kernels: Trimmed garden plants may attract less bugs

Proceedings of the 4th Workshop on European Workshop on System Security, EUROSEC'11

Volumn , Issue , 2011, Pages

  Kurmus, Anil ^a   Sorniotti, Alessandro ^a   Kapitza, Rüdiger ^b  

^a IBM RESEARCH ZURICH   (Switzerland)

^b UNIVERSITY OF ERLANGEN NUREMBERG   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

BUG FIXES; CODE REVIEW; CODE SECTIONS; CODE SIZE; COMMODITY OPERATING SYSTEMS; DYNAMIC BINARY INSTRUMENTATION; GARDEN PLANTS; KERNEL FUNCTION; LINUX KERNEL; MANUAL INTERVENTION; SANDBOXING; SECURITY POLICY; SECURITY PROBLEMS; SURFACE REDUCTION; SYSTEM SECURITY; WEB SERVERS;

BINARY SEQUENCES; COMPUTER OPERATING SYSTEMS; SECURITY SYSTEMS; TRIMMING; USER INTERFACES;

PROGRAM DEBUGGING;

EID: 79957870127     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1972551.1972557     Document Type: Conference Paper

References (21)

1. R. Tartler, D. Lohmann, J. Sincero, and W. Schroder-Preikschat, "Feature Consistency in Compile-Time Configurable System Software, " in Proceedings of the 2011 EuroSys Conference (EuroSys '11), 2011.
2. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries, " in Proceedings of the 2010 Annual Computer Security Applications Conference, 2010.
3. A. Mavinakayanahalli, P. Panchamukhi, J. Keniston, A. Keshavamurthy, and M. Hiramatsu, "Probing the Guts of Kprobes, " in Proceedings of the 2006 Linux Symposium, 2006.
4. P. J. Guo and D. Engler, "Linux Kernel Developer Responses to Static Analysis Bug Reports, " in Proceedings of the 2009 USENIX Annual technical Conference, 2009.
5. D. Chanet, B. De Sutter, B. De Bus, L. Van Put, and K. De Bosschere, "System-wide Compaction and Specialization of the Linux Kernel, " ACM SIGPLAN Notices, 2005.
6. N. Provos, "Improving Host Security with System Call Policies, " in Proceedings of the 12th USENIX Security Symposium, 2003.
7. I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer, "A Secure Environment for Untrusted Helper Applications Confining the Wily Hacker, " in Proceedings of the 6th USENIX Security Symposium, 1996.
8. A. Dan, A. Mohindra, R. Ramaswami, and D. Sitaram, "Chakravyuha: A Sandbox Operating System for the Controlled Execution of Alien Code, " tech. rep., IBM TJ Watson research center, 1997.
9. A. Acharya and M. Raje, "MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications, " in Proceedings of the 9th USENIX Security Symposium, 2000.
10. C. Willems, T. Holz, and F. Freiling, "Toward Automated Dynamic Malware Analysis Using CWSandbox, " IEEE Security and Privacy, 2007.
11. SELinux. http://selinuxproject.org/page/.
12. TOMOYO. http://tomoyo.sourceforge.jp/.
13. grsecurity. http://grsecurity.net/.
14. D. Mutz, F. Valeur, G. Vigna, and C. Kruegel, "Anomalous System Call Detection, " ACM Transactions on Information and System Security, pp. 61-93, February 2006.
15. T. Garfinkel, "Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools, " in Proceedings of the 10th Network and Distributed Systems Security Symposium (NDSS '03), 2003.
16. T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection, " in Proceedings of the 10th Network and Distributed Systems Security Symposium (NDSS '03), 2003.
17. N. Petroni Jr, T. Fraser, J. Molina, and W. Arbaugh, "Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor, " in Proceedings of the 13th USENIX Security Symposium, 2004.
18. M. Christodorescu, R. Sailer, D. L. Schales, D. Sgandurra, and D. Zamboni, "Cloud Security Is Not (Just) Virtualization Security, " in Proceedings of the 2009 ACM workshop on Cloud Computing Security (CCSW '09), 2009.
19. X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports, "Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems, " in Proceedings of the 13th Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), 2008.
20. B. D. Payne, M. Carbone, M. Sharif, and W. Lee, "Lares: An Architecture for Secure Active Monitoring Using Virtualization, " in Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.
21. M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, "Secure In-VM Monitoring Using Hardware Virtualization, " in Proceedings of the 16th Computer and Communications Security Conference (CCS '09), 2009.