DMCA
Improving Host Security with System Call Policies (2002)
Cached
Download Links
| Venue: | In Proceedings of the 12th Usenix Security Symposium |
| Citations: | 330 - 0 self |
BibTeX
@INPROCEEDINGS{Provos02improvinghost,
author = {Niels Provos},
title = {Improving Host Security with System Call Policies},
booktitle = {In Proceedings of the 12th Usenix Security Symposium},
year = {2002},
pages = {257--272}
}
Share
 |
 |
 |
 |
||
OpenURL
Abstract
We introduce a system that eliminates the need to run programs in privileged process contexts. Using our system, programs run unprivileged but may execute certain operations with elevated privileges as determined by a configurable policy eliminating the need for suid or sgid binaries. We present the design and analysis of the "Systrace" facility which supports fine grained process confinement, intrusion detection, auditing and privilege elevation. It also facilitates the often difficult process of policy generation. With Systrace, it is possible to generate policies automatically in a training session or generate them interactively during program execution. The policies describe the desired behavior of services or user applications on a system call level and are enforced to prevent operations that are not explicitly permitted. We show that Systrace is efficient and does not impose significant performance penalties.
Keyphrases
host security system call policy certain operation desired behavior policy generation program execution intrusion detection difficult process training session privileged process context sgid binary elevated privilege systrace facility process confinement user application significant performance penalty privilege elevation configurable policy system call level
