Download: PDF.
“Integrity Walls: Finding attack surfaces from mandatory access control policies” by Hayawardh Vijayakumar, Joshua Schiffman, and Trent Jaeger. In 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS), May 2012.
Abstract
Adding new programs or configuration options to a system often leads to new exploits because it provides adversaries with new ways to access possible vulnerabilities. As a result, application developers often must react to exploits as they are exploited. One proactive defense is to protect programs at their attack surfaces, the program entry points (e.g., system calls) accessible to adversaries. However, experience has shown that developers often fail to defend these entry points because they do not locate all of these points where programs access system resources controlled by attackers. In this paper, we develop a runtime analysis method to compute program attack surfaces in system deployments, which uses a novel approach to computing program adversaries to determine which program entry points access adversary-controlled objects. We implemented our design as a Linux kernel mechanism capable of identifying entry points for both binary and interpreted programs. Using this mechanism, we compute the attack surfaces for all the programs in the Ubuntu Linux 10.04 Desktop distribution automatically, and discovered a previously unknown vulnerabilities an X Windows startup script available since 2006 and the recently-released GNU Icecat web browser. Our tools enable developers to find attack surfaces for their programs quickly and to produce defenses prior to the emergence of attacks, potentially moving us away from the penetrate-and-patch rut.
Download: PDF.
BibTeX entry:
@inproceedings{asiaccs12-vijayakumar,
author = {Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger},
title = {Integrity Walls: Finding attack surfaces from mandatory access
control policies},
booktitle = {7th ACM Symposium on Information, Computer, and
Communications Security (ASIACCS)},
month = may,
year = {2012}
}
(This webpage was created with bibtex2web.)
Back to Trent Jaeger's Publications.