System Call Sandboxing: Enhancing Security Through Analysis

Sandboxing is a technique that restricts software applications’ access to system resources to limit unintended harmful behaviour. These measures may include limiting the number of system calls that can be used. This paper compares dynamic and static analysis methods for determining the necessary syscalls, focusing on the applications SSH and diff. The contributions of this research include a custom dynamic analysis approach, a comparison to an existing static solution, and insights into their strengths and weaknesses. Furthermore, it is explained how the use of execution phase separation, a technique that involves analyzing each phase of a program separately, can be used to further refine the system call set. The results of the experiments reveal that both methods can effectively decrease the attack surface, each eliminating over 60% of unnecessary system calls. On the one hand, static analysis covers all possible use-cases but includes calls that are never used. On the other hand, dynamic analysis provides a more realistic set based on actual use-cases, but may miss some edge cases. Moreover, it was found that execution phase separation works well and can reduce the amount of system calls required in the main working phase of SSH by 79%.