Reference:
In Proceedings of the Internet Society's 2003 Symposium on Network and Distributed System Security.
Abstract:
System call interposition is a powerful method for regulating and
monitoring application behavior. In recent years, a wide variety
of security tools have been developed that use this technique.
This approach brings with it a host of pitfalls for the unwary
implementer that if overlooked can allow his tool to be easily
circumvented. To shed light on these problems, we present the lessons we
learned in the course of several design and implementation cycles with our
own system call interposition-based sandboxing tool. We first present
some of the problems and pitfalls we encountered, including incorrectly
replicating OS semantics, overlooking indirect paths to resources, race
conditions, incorrectly subsetting a complex interface, and side effects
of denying system calls. We then present some practical solutions to
these problems, and provide general principles for avoiding the
difficulties we encountered.
Full paper: [ps] [pdf] [Bibtex Entry]