Go With the Flow: Enforcing Program Behavior Through Syscall Sequences and Origins

The presentation discusses the implementation of SVIP, a security solution that provides integrity to kernel transitions and origin checks to prevent system call attacks.

• SVIP provides integrity to kernel transitions that cannot be achieved with CFI or SECCOMP
• SVIP also provides security via Cisco Transitions and origin checks
• SVIP reduces the number of average transitions from 107 to 74 and the number of average system call locations from 107 to 3
• SVIP is fully automated and has minimal runtime overhead
• The presentation also discusses return-oriented programming and how it can be exploited by attackers using existing code in an application to perform system calls

The presentation explains how return-oriented programming can be exploited by attackers using existing code in an application to perform system calls. The presentation also provides a brief illustration of how an attacker can chain together gadgets to perform a system call with specified parameters.

Over the years, applications increased in size and complexity, and with that also the number of vulnerabilities. Both industry and academia have proposed countermeasures to harden applications against potential attacks. For instance, control-flow integrity (CFI) tries to limit control-flow transfers within an application to transfers that are possible based on the program source code. Unfortunately, such countermeasures only work within one security domain, e.g., only on the userspace level. Once they are circumvented, an attacker can arbitrarily interact with other domains, such as the kernel.This talk presents our concept of syscall-flow-integrity protection (SFIP), limiting the control flow across security domains, i.e., user-to-kernel transfers. By design, it is fully compatible with CFI and enhances the system's security in case that CFI is circumvented. SFIP relies on three pillars: syscall sequences that model the control flow of the application, syscall origins that map syscalls to the locations at which they can be invoked, and efficient enforcement of the information by the operating system. We identify 3 challenges in the extraction of the syscall sequences and origins, e.g., a non-bijective mapping between syscalls and syscall locations. We demonstrate a proof-of-concept implementation, called SysFlow, that solves these challenges and allows for automated syscall-flow-integrity protection of large-scale real-world applications with a runtime overhead of only 1.8%. To demonstrate that SFIP is a viable approach to reduce the attack surface of applications, we discuss how it increases the complexity of control-flow-hijacking and mimicry attacks and demonstrate how it can mitigate a real-world attack. Finally, we analyze syscall sequences and origins of several real-world applications, effectively demonstrating an attack surface reduction of 90.9% compared to no protection being applied.