2011 44th Hawaii International Conference on System Sciences (2011)
Jan. 4, 2011 to Jan. 7, 2011
Security monitoring systems operate typically at the process level. Various authors have indicated that monitoring at a finer level of granularity than the process is highly desirable. In this paper, we introduce COMB, a framework for imposing policies to confine the behavior of applications. Unlike previous approaches, our technique is applied per component (functions, libraries, and/or plugins) while requiring only the availability of the binary executable form of the program. To demonstrate the feasibility of COMB, we report a case study on a real-world, representative program, the Firefox web browser. Two characteristics of Firefox permit possibly untrusted code to be executed. First, it provides an extensible architecture to allow third-party developers to extend its functionality, and second it makes use of more than 150 external libraries. Using a simple system-call monitoring policy applied to Firefox plugins, we show that COMB can provide protection with reasonable overhead.
authorisation, computerised monitoring, online front-ends, supervisory programs
R. Rajkumar, A. Wang, J. D. Hiser, A. Nguyen-Tuong, J. W. Davidson and J. C. Knight, "Component-Oriented Monitoring of Binaries for Security," 2011 44th Hawaii International Conference on System Sciences(HICSS), Kauai, Hawaii USA, 2011, pp. 1-10.