• Corpus ID: 204860572

Library-Level Policy Enforcement

  title={Library-Level Policy Enforcement},
  author={Marinos Tsantekidis and Vassilis Prevelakis},
  booktitle={SECURWARE 2017},
We propose a system that allows policy to be implemented at the library call level. Under our scheme, calls to libraries are monitored and their arguments examined to ensure that they comply with the security policy associated with the running program. Our system automatically creates wrappers for libraries so that calls to external functions in the library are vectored to a policy enforcement engine. In this paper, we describe our system, which screens calls to protected functions, while… 

Figures from this paper

Efficient Monitoring of Library Call Invocation

The technique is presented by analyzing the interception of a known exploit of the NGINX server and it is shown that the mechanism can detect and contain the attack and discuss the performance overheads.

MMU-based Access Control for Libraries

An updated version of the kernel-side technique, where security policies are implemented in order to identify suspicious behavior and take some action accordingly, is presented.

Securing Runtime Memory via MMU Manipulation

This paper presents an extension to a previously developed mechanism for controlling access to libraries, in order to implement a scheme that allows each library to have its own private storage space.

ProSEV: Proxy-Based Secure and Efficient Vehicular Communication

This paper has investigated through a real experiment, how the VANet mobility imposes challenges in establishing and maintaining a long-lasting connection, and proposed a mechanism to improve the communication efficiency over VANETs based on the concept of intelligent proxies.

Model-driven Simulation and Training Environments for Cybersecurity: Second International Workshop, MSTEC 2020, Guildford, UK, September 14–18, 2020, Revised Selected Papers

A taxonomy for interactive cyber training and education is presented that includes different factors of the technical setup, audience, training environment, and training setup that can help trainings to improve and to be established successfully.



Control-flow integrity

Control-Flow Integrity provides a useful foundation for enforcing further security policies, as it is demonstrated with efficient software implementations of a protected shadow call stack and of access control for memory regions.

Improving Host Security with System Call Policies

This paper discusses the methodology and design of privilege separation, a generic approach that lets parts of an application run with different levels of privilege, and illustrates how separation of privileges reduces the amount of OpenSSH code that is executed with special privilege.

Base line performance measurements of access controls for libraries and modules

  • Jason W. KimV. Prevelakis
  • Computer Science
    Proceedings 20th IEEE International Parallel & Distributed Processing Symposium
  • 2006
The design and implementation of a framework used for generating (and using) libraries under access controls, as well as performance measurements of invoking functions that are held inside the protected library are discussed.

Exploiting Concurrency Vulnerabilities in System Call Wrappers

The theory and practice of system call wrapper concurrency vulnerabilities are discussed, and exploit techniques against GSWTK, Systrace, and CerbNG are demonstrated.

Address Space Layout Randomization Next Generation

A taxonomy of all ASLR elements is proposed, which categorizes the entropy in three dimensions: how, when and what; and includes novel forms of entropy, which shows that ASLR-NG overcomes PaX, Linux and OS X implementations, providing strong protection to prevent attackers from abusing weak ASLRs.

Secure Hardware-Software Architectures for Robust Computing Systems

The basic elements of SHARCS are presented that will provide a powerful foundation for designing and developing trustworthy, secure-by-design applications and services for the Future Internet.

Chacha20/poly1305 heap-buffer-overflow

  • 2016. [Online]. Available: https://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2016-7054 [accessed: 2017-07-26]
  • 2016

A hardware architecture for implementing protection rings

A call by a user procedure to a protected subsystem (including the supervisor) is identical to a call to a companion user procedure, and the mechanisms of passing and referencing arguments are the same in both cases as well.

Chacha20/poly1305 heap-buffer-overflow

  • 2016. [Online]. Available: https://www.openssl.org/news/secadv/20161110.txt [accessed: 2017-07-26]
  • 2016

Multics . ” [ Online ] Multics rings , ” 1996 . [ Online ]

  • Proceedings of the First USENIX Workshop on Offensive Technologies , ser . WOOT ’ 07
  • 2007