Abstract:

Attack surface reduction through the removal of unnecessary application
features and code is a promising technique for improving security
without incurring any additional overhead. Applying this technique to
the OS kernel can reduce the risk of privilege escalation attacks. Given
that user programs mainly leverage system calls to interact with the
kernel, restricting access to any system call can potentially prevent an
attacker from exploiting a vulnerability in the kernel. In this thesis,
we use static analysis to identify the system call requirements of
applications and containers, and prevent them from accessing those which
are deemed as unnecessary by our analysis.

First, we create a generic toolchain which identifies the system call
requirements of libraries and programs by performing a one-time static
analysis on the libc library. Using this toolchain, and aiming to
provide a practical solution for the protection of arbitrary containers,
we present a generic approach for the automated generation of
restrictive system call policies for Docker containers. Our system,
named Confine, uses this analysis to inspect the containerized
application and all its dependencies, identify the superset of system
calls required for the correct operation of the container, and generate
a corresponding Seccomp system call policy that can be readily enforced
while loading the container.

Then, we present temporal system call filtering which further restricts
server applications by considering their two main phases of execution,
and differentiating between the system call requirements of these
phases. We present novel static analysis techniques for improving the
precision of extracting the application's callgraph for each execution
phase, which is then used to pinpoint the system calls used in each
phase. We show that requirements change throughout the lifetime of
servers, and many dangerous system calls (such as execve) can be
disabled after the completion of the initialization phase.

Finally, we present Configuration-to-Code (C2C), a generic
configuration-driven attack surface reduction technique that
automatically maps configuration options to application code using
static code analysis and instrumentation. C2C operates at a fine-grained
level by pruning configuration-dependent conditional branches in the
control flow graph, allowing the precise identification of a given
configuration option's code at the basic block level. At runtime, C2C
reduces the application's attack surface according to a given active
configuration by filtering any system calls required exclusively by
disabled features. To show the security benefit of these techniques we
extract the system calls through which each previously disclosed kernel
vulnerability can be exploited. Using this mapping, we extract the total
number of vulnerabilities which become inaccessible due to filtering
unneeded system calls by our approaches.