Protecting Interpreted Applications with System Call Whitelists

Speaker/Bio

Alexander Oleinik is a PhD student advised by Manuel Egele. His research focuses are web and hypervisor security.

Abstract

Interpreted languages power a variety of applications, including websiteds, instant messengers, file-sharers, video-games, development enviornments and cloud-orchestrators. Since all of these applications rely on the web, attackers have honed in on finding and exploiting vulnerabilities in interpreted applications. Among the most dangerous vulnerabilities plaguing web-facing applications are those of the remote code execution (RCE) flavor. An RCE vulnerability allows an attacker to execute arbitrary code on the victim system. Despite 1,980 web app RCE vulnerabilities discovered in 2018 alone , little prior work addresses them directly. In this talk I explain the key difference between interpreted and native applications, which complicates the use of traditional sanboxing techniques. I present our solution to this problem, which we implement and evaluate for PHP web-applicaitons. Our approach applies system-call whitelists to each interpreted program. This effectively reduces the attack surface (i.e., set of system-calls) an exploit can leverage.