A framework for diversifying windows native APIs to tolerate code injection attacks
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Protecting against unexpected system calls
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A static API birthmark for Windows binary executables
Journal of Systems and Software
Support for enterprise consolidation of I-O bound services
Software—Practice & Experience - Focus on Selected PhD Literature Reviews in the Practical Aspects of Software Technology
Artificial malware immunization based on dynamically assigned sense of self
ISC'10 Proceedings of the 13th international conference on Information security
Architecting Dependable Systems III
Runtime countermeasures for code injection attacks against C and C++ programs
ACM Computing Surveys (CSUR)
DroidBarrier: know what is executing on your android
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
System call monitoring is a technique for detecting and controlling compromised applications by checking at run-time that each system call conforms to a policy that specifies the programýs normal behavior. Here, a new approach to system call monitoring based on authenticated system calls is introduced. An authenticated system call is a system call augmented with extra arguments that specify the policy for that call and a cryptographic message authentication code (MAC) that guarantees the integrity of the policy and the system call arguments. This extra information is used by the kernel to verify the system call. The version of the application in which regular system calls have been replaced by authenticated calls is generated automatically by an installer program that reads the application binary, uses static analysis to generate policies, and then rewrites the binary with the authenticated calls. This paper presents the approach, describes a prototype implementation based on Linux and the PLTO binary rewriting system, and gives experimental results suggesting that the approach is effective in protecting against compromised applications at modest cost.