System Call Sandboxing
Analysis of PWD and NGINX system call policy generation using dynamic and static techniques
J.J. Patałuch (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Alexios Voulimeneas – Mentor (TU Delft - Cyber Security)
Przemysław Pawełczak – Graduation committee member (TU Delft - Embedded Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
System call sandboxing represents a pivotal security measure in the contemporary digital landscape, where reducing the attack surface of applications is crucial to mitigate potential cyber threats. This paper investigates the efficacy of static versus dynamic system call filtering techniques across different execution phases of selected applications, namely PWD and NGINX. Employing automated tools such as sysfilter, and chestnut, we collected comprehensive data through strace to delineate essential system calls required for each application phase. Our analysis compares these results with the policies generated by the automated tools, providing insights into the strengths and limitations of static and dynamic sandboxing methodologies. This study ultimately seeks to refine system call policies and balance robust security with necessary application functionality.