Abstract

Programs must retrieve many system resources to execute properly, but there are several classes of vulnerabilities that may befall programs during resource retrieval. These vulnerabilities are difficult for programmers to eliminate because their cause is external to the program: adversaries may control the inputs used to build names, name spaces used to find the target resources, and the target resources themselves to trick victim programs to retrieve resources of the adversaries’ choosing. In this talk, I will present a system mechanism, called the Process Firewall, that protects programs from vulnerabilities during resource retrieval by introspecting into running programs to enforce context-specific rules. Our key insight is that using introspection to prevent such vulnerabilities is safe because we only aim to protect processes, relying on access control to confine malicious processes. I will show that the Process Firewall can prevent many types of vulnerabilities during resource retrieval, including those involving race conditions. I will also show how to perform such introspection and enforcement efficiently, incurring much lower overhead than equivalent program defenses. Finally, I will describe a conceptual model that describes the conditions for safe resource retrieval, and outline how to produce enforceable rules from that model. By following this model, we find that the Process Firewall mechanism can prevent many vulnerabilities during resource retrieval without causing false positives.