Operating system enhancements to prevent the misuse of system calls
作者: Massimo Bernaschi , Emanuele Gabrielli , Luigi V. Mancini
关键词: System call 、 Unix 、 Computer science 、 Isolation (database systems) 、 Source code 、 Operating system 、 Access control 、 Block (data storage) 、 Kernel (statistics) 、 Process (computing)
摘要: We propose a cost-e ective mechanism, to control the invocation of critical, from security viewpoint, system calls. The integration into existing UNIX operating systems is carried out by instrumenting code calls so that call itself once invoked checks see whether invoking process and argument values passed comply with rules held in an access database. This method provides simple interception both their do not require changes kernel data structures algorithms. All modi cations are transparent application processes can continue work correctly without needing source or re-compilation. A working prototype has been implemented inside Linux system, able detect block also bu er over ow based attacks.
acm.org
core.ac.uk 
sci-hub.se 参考文章(11)
Eric A. Brewer, David Wagner, Ian Goldberg, Randi Thomas, A secure environment for untrusted helper applications confining the Wily Hacker usenix security symposium. pp. 1- 1 ,(1996)
William Cheswick, Firewalls and Internet Security ,(1994)
Douglas E. Comer, David L. Stevens, Internetworking with TCP/IP: volume III: client-server programming and applications (Windows sockets version) Prentice-Hall, Inc.. ,(1997)
Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Lee Badger, Sheila A. Haghighat, A domain and type enforcement UNIX prototype usenix security symposium. pp. 12- 12 ,(1995)
Perry Wagle, Jonathan Walpole, Calton Pu, Steve Beattie, Aaron Grier, Crispin Cowan, Heather Hintony, Qian Zhang, Peat Bakke, Dave Maier, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks usenix security symposium. pp. 5- 5 ,(1998)
Steven M. Bellovin, Aviel D. Rubin, William R. Cheswick, Firewalls and Internet Security: Repelling the Wily Hacker ,(2003)
R. Sekar, Thomas F. Bowen, Mark E. Segal, On preventing intrusions by process behavior monitoring ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1. pp. 29- 40 ,(1999)
Ames, Gasser, Schell, Security Kernel Design and Implementation: An Introduction IEEE Computer. ,vol. 16, pp. 14- 22 ,(1983) , 10.1109/MC.1983.1654439
Aurobindo Sundaram, An introduction to intrusion detection ACM Crossroads Student Magazine. ,vol. 2, pp. 3- 7 ,(1996) , 10.1145/332159.332161
L. Badger, D.F. Sterne, D.L. Sherman, K.M. Walker, S.A. Haghighat, Practical Domain and Type Enforcement for UNIX ieee symposium on security and privacy. pp. 66- 77 ,(1995) , 10.1109/SECPRI.1995.398923