Automating Seccomp Filter Generation for Linux Applications

  title={Automating Seccomp Filter Generation for Linux Applications},
  author={Claudio Canella and Mario Werner and Daniel Gruss and Michael Schwarz},
  journal={Proceedings of the 2021 on Cloud Computing Security Workshop},
Software vulnerabilities undermine the security of applications. By blocking unused functionality, the impact of potential exploits can be reduced. While seccomp provides a solution for filtering syscalls, it requires manual implementation of filter rules for each individual application. Recent work has investigated approaches to automate this task. However, as we show, these approaches make assumptions that are not necessary or require overly time-consuming analysis. In this paper, we propose… 

Figures and Tables from this paper

SFIP: Coarse-Grained Syscall-Flow-Integrity Protection in Modern Systems
The concept of syscall-flowintegrity protection (SFIP) is introduced that complements the concept of CFI with integrity for user-kernel transitions and can be applied to large scale applications with minimal slowdowns.
Domain Page-Table Isolation
The results show that DPTI is a viable mechanism to isolate domains within applications using only existing mechanisms available on modern CPUs, without relying on special hardware instructions or extensions.
Timeloops: Automatic System Call Policy Learning for Containerized Microservices
The amortized performance of T IMELOOPS is similar to that of an unhardened system while producing a smaller system call filter than state-of-the-art static analysis-based techniques.
Timeloops: System Call Policy Learning for Containerized Microservices
The amortized performance of T IMELOOPS is similar to that of an unhardened system while producing a smaller system call filter than state-of-the-art static analysis-based techniques.
Sprofiler: Automatic Generating System of Container-Native System Call Filtering Rules for Attack Surface Reduction
This study proposes Sprofiler which generates filtering rules that are suitable for a workload of a container by combining static analysis of application executable files and dynamic analysis of system calls issued from the container.
Keep Your Transactions On Short Leashes
This paper starts with the indistinguishability of side chains from the consensus chain—for the eclipsed victim—as a given and assumes the potential victim will be fooled, and protects the victim via harm reduction applying “short leashes” to transactions.


sysfilter: Automated System Call Filtering for Commodity Software
Modern OSes provide a rich set of services to applications, primarily accessible via the system call API, to support the ever growing functionality of contemporary software. However, despite the fact
Temporal System Call Specialization for Attack Surface Reduction
Attack surface reduction through the removal of unnecessary application features and code is a promising technique for improving security without incurring any additional overhead. Recent software
Less is More: Quantifying the Security Benefits of Debloating Web Applications
The results show that the process of debloating removes code associated with tens of historical vulnerabilities and further shrinks a web application’s attack surface by removing unnecessary external packages and abusable PHP gadgets.
JRed: Program Customization and Bloatware Mitigation Based on Static Analysis
A new static-analysis-enabled approach to trimming unused code from both Java applications and Java Runtime Environment (JRE) automatically is proposed, built on top of the Soot framework and evaluated based on a set of criteria: code size, code complexity, memory footprint, execution and garbage collection time, and security.
Debloating Software through Piece-Wise Compilation and Loading
A debloating framework built on a compiler toolchain that can successfully debloat software (shared/static libraries and executables) and shows that even complex COTS programs (e.g., FireFox, Curl) can be debloated {without a need to recompile}.
Shredder: Breaking Exploits through API Specialization
Shredder, a defense-in-depth exploit mitigation tool for the protection of closed-source applications, is presented and it is shown that it improves significantly upon code stripping, a state-of-the-art code surface reduction technique, by blocking a larger number of malicious payloads with negligible runtime overhead.
Binary Control-Flow Trimming
Through a combination of runtime tracing, machine learning, in-lined reference monitoring, and contextual control-flow integrity enforcement, it is demonstrated that automated code feature removal is nevertheless feasible under these constraints, even for complex programs such as compilers and servers.
RAZOR: A Framework for Post-deployment Software Debloating
A practical debloating framework, RAZOR, that performs code reduction for deployed binaries that produces functional programs and does not introduce any security issues, and is thus a practical framework fordebloating real-world programs.
Out of Control: Overcoming Control-Flow Integrity
As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal
Authenticated system calls
This paper presents the approach, describes a prototype implementation based on Linux and the PLTO binary rewriting system, and gives experimental results suggesting that the approach is effective in protecting against compromised applications at modest cost.