Efficient Monitoring of Library Call Invocation

  title={Efficient Monitoring of Library Call Invocation},
  author={Marinos Tsantekidis and Vassilis Prevelakis},
  journal={2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS)},
  • Marinos TsantekidisV. Prevelakis
  • Published 1 October 2019
  • Computer Science
  • 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS)
The ability to monitor when user code invokes a library function offers numerous advantages. For example, during black-box testing of code, high-level control-flow integrity (CFI) checking, run-time access-control policy enforcement and so on. However, for this technique to be useful it must be efficient and able to function even when the target application is provided only as a statically linked executable. In an earlier paper we demonstrated how library calls may be intercepted using wrappers… 

Figures and Tables from this paper

MMU-based Access Control for Libraries

An updated version of the kernel-side technique, where security policies are implemented in order to identify suspicious behavior and take some action accordingly, is presented.

Securing Runtime Memory via MMU Manipulation

This paper presents an extension to a previously developed mechanism for controlling access to libraries, in order to implement a scheme that allows each library to have its own private storage space.

CYRA: A Model-Driven CYber Range Assurance Platform

The model-driven CYber Range Assurance platform (CYRA) allows a trainee to be trained for known and new cyber-attacks by adapting to the continuously evolving threat landscape and examines if the trainees transfer the acquired knowledge to the working environment.

Model-driven Simulation and Training Environments for Cybersecurity: Second International Workshop, MSTEC 2020, Guildford, UK, September 14–18, 2020, Revised Selected Papers

A taxonomy for interactive cyber training and education is presented that includes different factors of the technical setup, audience, training environment, and training setup that can help trainings to improve and to be established successfully.



Base line performance measurements of access controls for libraries and modules

  • Jason W. KimV. Prevelakis
  • Computer Science
    Proceedings 20th IEEE International Parallel & Distributed Processing Symposium
  • 2006
The design and implementation of a framework used for generating (and using) libraries under access controls, as well as performance measurements of invoking functions that are held inside the protected library are discussed.

Control-flow integrity

Control-Flow Integrity provides a useful foundation for enforcing further security policies, as it is demonstrated with efficient software implementations of a protected shadow call stack and of access control for memory regions.

RAD: a compile-time solution to buffer overflow attacks

  • T. ChiuehFu-Hau Hsu
  • Computer Science
    Proceedings 21st International Conference on Distributed Computing Systems
  • 2001
This paper presents a compiler-based solution to the notorious buffer overflow attack problem, a taxonomy of defense methods, the implementation details of RAD, and the performance analysis of the RAD prototype.

Improving Host Security with System Call Policies

This paper discusses the methodology and design of privilege separation, a generic approach that lets parts of an application run with different levels of privilege, and illustrates how separation of privileges reduces the amount of OpenSSH code that is executed with special privilege.

The Performance Cost of Shadow Stacks and Stack Canaries

This work studies the inherent overheads of shadow stack schemes, and designs a new scheme, the parallel shadow stack, and shows that its performance cost is significantly less than the traditional shadow stack: 3.5%.

Library-Level Policy Enforcement

A system that allows policy to be implemented at the library call level, which screens calls to protected functions, while allowing the implementation of a high level form of control flow integrity based on library calls is described.

A hardware architecture for implementing protection rings

A call by a user procedure to a protected subsystem (including the supervisor) is identical to a call to a companion user procedure, and the mechanisms of passing and referencing arguments are the same in both cases as well.

Exploiting Concurrency Vulnerabilities in System Call Wrappers

The theory and practice of system call wrapper concurrency vulnerabilities are discussed, and exploit techniques against GSWTK, Systrace, and CerbNG are demonstrated.


  • https:// www.cvedetails.com/cve/CVE-2013-2028/, February 2013.
  • 2013

Nginx 1.4.0 (Generic Linux x64) - Remote Overflow

  • https: //www.exploit-db.com/exploits/32277, July 2013.
  • 2013