SPLASH 2021
Sun 17 - Fri 22 October 2021 Chicago, Illinois, United States
Fri 22 Oct 2021 14:35 - 14:50 at Zurich E - OOPSLA 2020 Papers 5 Chair(s): Yao Li

System call whitelisting is a powerful sandboxing approach that can significantly reduce the capabilities of an attacker if an application is compromised. Given a policy that specifies which system calls can be invoked with what arguments, a sandboxing framework terminates any execution that violates the policy. While this mechanism greatly reduces the attack surface of a system, manually constructing these policies is time-consuming and error-prone. As a result, many applications —including those that take untrusted user input— opt not to use a system call sandbox.

Motivated by this problem, we propose a technique for automatically constructing system call whitelisting policies for a given application and policy DSL. Our method combines static code analysis and program synthesis to construct sound and precise policies that never erroneously terminate the application, while restricting the program’s system call usage as much as possible. We have implemented our approach in a tool called Abhayaand experimentally evaluate it 493 Linux and OpenBSD applications by automatically synthesizing Seccomp-bpfand Pledgepolicies. Our experimental results indicate that Abhayacan efficiently generate useful and precise sandboxes for real-world applications.

Fri 22 Oct

Displayed time zone: Central Time (US & Canada) change

13:50 - 15:10
OOPSLA 2020 Papers 5SIGPLAN Papers at Zurich E
Chair(s): Yao Li University of Pennsylvania
13:50
15m
Talk
Gradual Verification of Recursive Heap Data Structures
SIGPLAN Papers
Jenna Wise Carnegie Mellon University, Johannes Bader Jane Street, Cameron Wong Jane Street, Jonathan Aldrich Carnegie Mellon University, Éric Tanter University of Chile, Joshua Sunshine Carnegie Mellon University
14:05
15m
Talk
Formulog: Datalog for SMT-based Static Analysis
SIGPLAN Papers
Aaron Bembenek Harvard University, Michael Greenberg Stevens Institute of Technology, Stephen Chong Harvard University
14:20
15m
Talk
Compiling Symbolic Execution with Staging and Algebraic Effects
SIGPLAN Papers
Guannan Wei Purdue University, Oliver Bračevac Purdue University, Shangyin Tan Purdue University, Tiark Rompf Purdue University
14:35
15m
Talk
Automated Policy Synthesis for System Call Sandboxing
SIGPLAN Papers
Shankara Pailoor University of Texas at Austin, Xinyu Wang University of Michigan, Hovav Shacham University of Texas at Austin, Isil Dillig University of Texas at Austin
DOI
14:50
20m
Live Q&A
Discussion, Questions and Answers
SIGPLAN Papers