Abstract

Applications are growing ever more complex, leading to an increase in exploitable vulnerabilities. One efficient method for mitigating potential attacks is the use of application sandboxing. The idea behind sandboxing is to constrain software within a tightly controlled environment. Linux provides seccomp filtering to restrict the system calls an application can execute. However, it requires an application developer to extract the system calls from the application manually, and to set up the resulting filters correctly.

We investigate the challenges of automatically generating seccomp filters for an application. Based on this evaluation, we propose a new approach for automatically generating seccomp filters for Linux applications on both x86_64 and ARMv8. This new approach consists of two phases with a total of three distinct components, i.e., a static analysis phase with two components and an optional refinement phase with one component. We implement our approach as a compiler extension and a standalone tool. The compiler extension performs static code analysis to identify the system calls an application uses. The standalone tool can be applied to already existing binaries to allow sandboxing without having access to the source code. A dynamic refinement tool can be used during development to either identify system calls that were missed by the static component used in phase one or to further reduce the number of allowed system calls. In general, all three components can be combined to alleviate the potential shortcomings of an individual component. We show the effectiveness of our new approach in preventing real-world exploits with only minimal overhead.