Process firewalls: Protecting processes during resource access

Hayawardh Vijayakumar, Joshua Schiffman, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

14 Scopus citations

Abstract

Processes retrieve a variety of resources from the operating system in order to execute properly, but adversaries have several ways to trick processes into retrieving resources of the adversaries' choosing. Such resource access attacks use name resolution, race conditions, and/or ambiguities regarding which resources are controlled by adversaries, accounting for 5-10% of CVE entries over the last four years. programmers have found these attacks extremely hard to eliminate because resources are managed externally to the program, but the operating system does not provide a sufficiently rich system-call API to enable programs to block such attacks. In this paper, we present the Process Firewall, a kernel mechanism that protects processes in manner akin to a network firewall for the system-call interface. Because the Process Firewall only protects processes - rather than sandboxing them - it can examine their internal state to identify the protection rules necessary to block many of these attacks without the need for program modification or user configuration. We built a prototype Process Firewall for Linux demonstrating: (1) the prevention of several vulnerabilities, including two that were previously-unknown; (2) that this defense can be provided system-wide for less than 4% overhead in a variety of macrobenchmarks; and (3) that it can also improve program performance, shown by Apache handling 3-8% more requests when program resource access checks are replaced by Process Firewall rules. These results show that it is practical for the operating system to protect processes by preventing a variety of resource access attacks system-wide.

Original languageEnglish (US)
Title of host publicationProceedings of the 8th ACM European Conference on Computer Systems, EuroSys 2013
Pages57-70
Number of pages14
DOIs
StatePublished - 2013
Event8th ACM European Conference on Computer Systems, EuroSys 2013 - Prague, Czech Republic
Duration: Apr 15 2013Apr 17 2013

Publication series

NameProceedings of the 8th ACM European Conference on Computer Systems, EuroSys 2013

Other

Other8th ACM European Conference on Computer Systems, EuroSys 2013
Country/TerritoryCzech Republic
CityPrague
Period4/15/134/17/13

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Process firewalls: Protecting processes during resource access'. Together they form a unique fingerprint.

Cite this