Digital Library[ Search Result ]

Search : [ keyword: system call ] (4)

Quantitative Analysis of Sequence-based Container Security Enhancement using a System Call Sequence Extraction Framework

Somin Song, Youyang Kim, Byungchul Tak

http://doi.org/10.5626/JOK.2023.50.11.913

Container escape is one of the most critical threats in containerized applications that share a host kernel. Attackers exploit kernel vulnerabilities through a series of manipulated system calls to achieve privilege escalation, which can lead to container escape. Seccomp is a security mechanism widely used in containers. It strengthens the level of isolation by filtering out unnecessary system call invocations. However, the filtering mechanism of Seccomp that blocks individual system calls has a fundamental limitation in that it can be vulnerable to attacks that use system calls allowed by the policy. Therefore, this study presents a hybrid analysis framework that combines static and dynamic analyses to extract system call sequences from exploit codes. Using this framework, we compared the security strength of an existing individual system call-based filtering mechanism and proposed a system call sequence-based filtering mechanism in terms of the number of blockable exploit codes using system call profiles for the same exploit codes. As a result, the proposed system call sequence-based filtering mechanism was able to increase the defense coverage from 63% to 98% compared to the existing individual system call-based filtering mechanism.

Application Monitoring System Design and Implementation using System Call Pattern

Haegeon Jeong, Kyungtae Kang

http://doi.org/10.5626/JOK.2022.49.10.795

A user application consists of a set of functions. An application gives a set of functions to do what the user needs. Applications that provide services such as web servers are very large and complex, making them a target for attackers. As a result of attacks by malicious hackers, application variables and program flow are distorted, leading to the hijacking of system administrator privileges or abnormal operations. In this paper, we designed and implemented a system that collects an application"s system call and detects anomalies in applications through the collected patterns. As a result of measuring the overhead through the actually implemented system, it was found that when about 1 million system calls were monitored, it had an overhead of about 0.8 seconds. This is about 1/28 of the overhead time of existing tools such as strace.

Malware Classification Possibility based on Sequence Information

Tae-Uk Yun, Chan-Soo Park, Tae-Gyu Hwang, Sung Kwon Kim

http://doi.org/10.5626/JOK.2017.44.11.1125

LSTM(Long Short-term Memory) is a kind of RNN(Recurrent Neural Network) in which a next-state is updated by remembering the previous states. The information of calling a sequence in a malware can be defined as system call function that is called at each time. In this paper, we use calling sequences of system calls in malware codes as input for malware classification to utilize the feature remembering previous states via LSTM. We run an experiment to show that our method can classify malware and measure accuracy by changing the length of system call sequences.

Consideration of fsync() of the Ext4 File System According to Kernel Version

Seongbae Son, Yoenjin Noh, Dokeun Lee, Sungsoon Park, Youjip Won

http://doi.org/

Ext4 file system is widely used in various computing environments such as those of the PC, the server, and the Linux-based embedded system. Ext4, which uses a buffer for block I/O, provides fsync() system call to applications to guarantee the consistency of a specific file. A log of the analytical studies regarding the operation of Ext4 and the improvement of its performance has been compiled, but it has not been studied in detail in terms of kernel versions. We figure out that the behavior of fsync() system call is different depending on the kernel version. Between the kernel versions of 3.4.0 and 4.7.2, 3.4.0, 3.8.0, and 4.6.2 showed behavioral differences regarding the fsync() system call. The latency of fsync() in kernel 3.4.0 is longer than that of the more-advanced 3.7.10; meanwhile, the characteristics of 3.8.0 enabled the disruption of the Ext4 journaling order, but the ordered defect was solved with 4.6.2.


Search




Journal of KIISE

  • ISSN : 2383-630X(Print)
  • ISSN : 2383-6296(Electronic)
  • KCI Accredited Journal

Editorial Office

  • Tel. +82-2-588-9240
  • Fax. +82-2-521-1352
  • E-mail. chwoo@kiise.or.kr