SPLASH 2020
Sun 15 - Sat 21 November 2020 Online Conference
Wed 18 Nov 2020 12:00 - 12:20 at SPLASH-I - W-3 Chair(s): Eelco Visser, Dan Barowy
Thu 19 Nov 2020 00:00 - 00:20 at SPLASH-I - W-3 Chair(s): Alex Potanin, Yuting Wang

System call whitelisting is a powerful sandboxing approach that can significantly reduce the capabilities of an attacker if an application is compromised. Given a \emph{policy} that specifies which system calls can be invoked with what arguments, a sandboxing framework terminates any execution that violates the policy.
While this mechanism greatly reduces the attack surface of a system, manually constructing these policies is time-consuming and error-prone. As a result, many applications —including those that take untrusted user input— opt not to use a system call sandbox.

Motivated by this problem, we propose a technique for automatically constructing system call whitelisting policies for a given application and policy DSL. Our method combines static code analysis and program synthesis to construct \emph{sound and precise policies} that never erroneously terminate the application, while restricting the program's system call usage as much as possible.
We have implemented our approach in a tool called \textsc{Abhaya}\xspace and experimentally evaluate it 493 Linux and OpenBSD applications by automatically synthesizing {Seccomp-bpf}\xspace and \text{Pledge}\xspace policies. Our experimental results indicate that \textsc{Abhaya}\xspace can efficiently generate useful and precise sandboxes for real-world applications.

Wed 18 Nov

Displayed time zone: Central Time (US & Canada) change

11:00 - 12:20
W-3OOPSLA at SPLASH-I +12h
Chair(s): Eelco Visser Delft University of Technology, Dan Barowy Williams College
11:00
20m
Talk
Build Scripts with Perfect Dependencies
OOPSLA
Sarah Spall Indiana University, Neil Mitchell Facebook, Sam Tobin-Hochstadt Indiana University
Link to publication DOI Media Attached
11:20
20m
Talk
Random Testing for C and C++ Compilers with YARPGenDistinguished Paper
OOPSLA
Vsevolod Livinskii University of Utah, Dmitry Babokin Intel Corporation, John Regehr University of Utah
Link to publication DOI Media Attached
11:40
20m
Talk
Dynamic Dispatch of Context-Sensitive Optimizations
OOPSLA
Gabriel Poesia Stanford University, Fernando Magno Quintão Pereira Federal University of Minas Gerais
Link to publication DOI Pre-print Media Attached
12:00
20m
Talk
Automated Policy Synthesis for System Call SandboxingDistinguished Paper
OOPSLA
Shankara Pailoor University of Texas at Austin, Xinyu Wang University of Michigan, Hovav Shacham University of Texas at Austin, Isil Dillig University of Texas at Austin
Link to publication DOI Media Attached
23:00 - 00:20
W-3OOPSLA at SPLASH-I
Chair(s): Alex Potanin Victoria University of Wellington, Yuting Wang Shanghai Jiao Tong University
23:00
20m
Talk
Build Scripts with Perfect Dependencies
OOPSLA
Sarah Spall Indiana University, Neil Mitchell Facebook, Sam Tobin-Hochstadt Indiana University
Link to publication DOI Media Attached
23:20
20m
Talk
Random Testing for C and C++ Compilers with YARPGenDistinguished Paper
OOPSLA
Vsevolod Livinskii University of Utah, Dmitry Babokin Intel Corporation, John Regehr University of Utah
Link to publication DOI Media Attached
23:40
20m
Talk
Dynamic Dispatch of Context-Sensitive Optimizations
OOPSLA
Gabriel Poesia Stanford University, Fernando Magno Quintão Pereira Federal University of Minas Gerais
Link to publication DOI Pre-print Media Attached
00:00
20m
Talk
Automated Policy Synthesis for System Call SandboxingDistinguished Paper
OOPSLA
Shankara Pailoor University of Texas at Austin, Xinyu Wang University of Michigan, Hovav Shacham University of Texas at Austin, Isil Dillig University of Texas at Austin
Link to publication DOI Media Attached