Building Dynamic System Call Sandbox with Partial Order Analysis

Explore a 19-minute conference talk from OOPSLA 2023 that introduces a novel approach to building dynamic system call sandboxes using partial order analysis. Learn how this technique gradually disables access to unnecessary system calls during program execution, enhancing operating system security by reducing the attack surface. Discover how the proposed method transforms programs into partially ordered graphs, enabling efficient identification of required system calls at any point during runtime. Examine the evaluation results showing improved performance compared to state-of-the-art sandboxing techniques, with an average of 23.50 more restricted system calls and the ability to defeat 83.42% of exploitation payloads with minimal overhead. Gain insights into the potential applications for web servers, databases, and other widely-used programs to enhance their security posture.

[OOPSLA23] Building Dynamic System Call Sandbox with Partial Order Analysis