Component-Oriented Monitoring of Binaries for SecurityReport
Security monitoring systems operate typically at the process level. Various authors have indicated that monitoring at a finer level of granularity than the process is highly desirable. In this paper, we introduce COMB, a framework for imposing policies to confine the behavior of applications. Unlike previous approaches, our technique is applied per component (functions, libraries, and/or plugins) while requiring only the availability of the binary executable form of the program. To demonstrate the feasibility of COMB, we report a case study on a real-world, representative program, the Firefox web browser. Two characteristics of Firefox permit possibly untrusted code to be executed. First, it provides an extensible architecture to allow third-party developers to extend its functionality, and second it makes use of more than 150 external libraries. Using a simple system-call monitoring policy applied to Firefox plugins, we show that COMB can provide protection with reasonable overhead. and plugins. The policies that COMB enforces include those associated with sequences of actions, including sequences involving multiple components. In typical applications, process-level monitoring forces identical monitoring policies to be applied to the entire program. We refer to such monitoring techniques as coarse-grained. Several authors have observed that fine-grained monitoring, as provided by COMB, would improve the accuracy of many security techniques .
Note: Abstract extracted from PDF text
All rights reserved (no additional license for public reuse)
Rajkumar, Raghavendra, Andrew Wang, Jason Hiser, Anh NguyenTuong, Jack Davidson, and John Knight. "Component-Oriented Monitoring of Binaries for Security." University of Virginia Dept. of Computer Science Tech Report (2009).
University of Virginia, Department of Computer Science