Runtime Monitoring Tool for Monitoring Attack Surfaces in Programs using SELinux

Open Access
Jakka, Guruprasad
Graduate Program:
Computer Science and Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
April 14, 2010
Committee Members:
  • Trent Ray Jaeger, Thesis Advisor
  • security
  • integrity
  • attack surface
  • program
  • selinux
  • policy
Attacks on computer systems have become quite common and sophisticated. They exploit vulnerabilities present in programs by injecting malicious code, changing program execution sequence by buffer overflow attacks and essentially affecting the program's integrity. These attacks are launched through the attack surface for the program. An attack surface for a program is the set of entry points which an attacker can use to launch attacks against it. The more features and more complex the program is, the greater its attack surface is. Hence a program with a larger attack surface is vulnerable to more threats from outside. Thus understanding and accurately measuring the attack surface is an important barometer for security of any program. This has been a challenging and an open problem in the security research community. In this thesis, we build a run time monitoring tool to measure and obtain an accurate assessment of the attack surfaces of the program using its access control policy. Since every entry point for a program could be a potential attack surface, merely identifying it would generate a lot of false positives. We use the integrity wall constructed using the program's access policy to classify MAC policy labels of the program into trusted labels and untrusted labels. This helps in identifying only those entry points which allows untrusted labeled input to enter the program and hence are part of the attack surface. The run time monitoring tool collects all the interfaces where access happens between trusted and untrusted labels. Using this tool, we identify interfaces that have led to several known vulnerabilities. For the verb!httpd! web server we identified 56 interfaces of which 9 receive untrusted input. These entry points have been associated with a number of vulnerabilities which have been exploited by attackers.