TY - GEN
T1 - Diversification of system calls in linux binaries
AU - Rauti, Sampsa
AU - Laurén, Samuel
AU - Hosseinzadeh, Shohreh
AU - Mäkelä, Jari Matti
AU - Hyrynsalmi, Sami
AU - Leppänen, Ville
PY - 2015
Y1 - 2015
N2 - This paper studies the idea of using large-scale diversification to protect operating systems and make malware ineffective. The idea is to first diversify the system call interface on a specific computer so that it becomes very challenging for a piece of malware to access resources, and to combine this with the recursive diversification of system library routines indirectly invoking system calls. Because of this unique diversification (i.e. a unique mapping of system call numbers), a large group of computers would have the same functionality but differently diversified software layers and user applications. A malicious program now becomes incompatible with its environment. The basic flaw of operating system monoculture - the vulnerability of all software to the same attacks - would be fixed this way. Specifically, we analyze the presence of system calls in the ELF binaries. We study the locations of system calls in the software layers of Linux and examine how many binaries in the whole system use system calls. Additionally, we discuss the different ways system calls are coded in ELF binaries and the challenges this causes for the diversification process. Also, we present a diversification tool and suggest several solutions to overcome the difficulties faced in system call diversification. The amount of problematic system calls is small, and our diversification tool manages to diversify the clear majority of system calls present in standard-like Linux configurations. For diversifying all the remaining system calls, we consider several possible approaches.
AB - This paper studies the idea of using large-scale diversification to protect operating systems and make malware ineffective. The idea is to first diversify the system call interface on a specific computer so that it becomes very challenging for a piece of malware to access resources, and to combine this with the recursive diversification of system library routines indirectly invoking system calls. Because of this unique diversification (i.e. a unique mapping of system call numbers), a large group of computers would have the same functionality but differently diversified software layers and user applications. A malicious program now becomes incompatible with its environment. The basic flaw of operating system monoculture - the vulnerability of all software to the same attacks - would be fixed this way. Specifically, we analyze the presence of system calls in the ELF binaries. We study the locations of system calls in the software layers of Linux and examine how many binaries in the whole system use system calls. Additionally, we discuss the different ways system calls are coded in ELF binaries and the challenges this causes for the diversification process. Also, we present a diversification tool and suggest several solutions to overcome the difficulties faced in system call diversification. The amount of problematic system calls is small, and our diversification tool manages to diversify the clear majority of system calls present in standard-like Linux configurations. For diversifying all the remaining system calls, we consider several possible approaches.
U2 - 10.1007/978-3-319-27998-5_2
DO - 10.1007/978-3-319-27998-5_2
M3 - Conference contribution
AN - SCOPUS:84958040185
SN - 9783319279978
T3 - Lecture Notes in Computer Science
SP - 15
EP - 35
BT - Trusted Systems - 6th International Conference, INTRUST 2014, Revised Selected Papers
PB - Springer-Verlag
T2 - 6th International Conference on Trusted Systems, INTRUST 2014
Y2 - 16 December 2014 through 17 December 2014
ER -