Methods and systems for system call reduction
Inventors
Assignees
Publication Number
US-11663337-B2
Publication Date
2023-05-30
Expiration Date
2039-07-22
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
Disclosed are methods and systems for system call reduction. An application container may be used to encapsulate an application and to determine an operation state of the application. Based on the application state, the application container may determine one or more allowable system calls for the application. The application container may restrict access to one or more system calls excluded from the one or more allowable system calls.
Core Innovation
The invention provides methods and systems for system call reduction using an application container that determines the operation state of an application it encapsulates. The operation states may include boot-up, execution, and shut-down. Based on the detected operation state, the container identifies one or more allowable system calls required by the application at that phase. These necessary system calls are determined by either monitoring previous executions or by parsing the source code to extract the functions and correspondingly used system calls.
Once the allowable system calls for each operation state are determined, the application container enforces restrictions, permitting only those system calls that are necessary for the current phase. The restriction is achieved by using filters such as seccomp filters, which may be dynamically changed as the application moves between phases like booting and running. The booting phase and running phase are separately profiled to determine distinct sets of system calls, and the list of permitted system calls is updated according to the application's lifecycle.
This innovation addresses the inadequacy in prior approaches, where containers generally allow a superset of system calls for all applications, thereby leaving unnecessary system calls available and broadening the attack surface. The invention customizes the set of permitted system calls for each application and for each phase, reducing potential attack vectors available to malware by limiting the system calls to only those required for normal operation in a given phase.
Claims Coverage
The patent claims cover three primary inventive features relating to determining and restricting allowable system calls for applications within containers in distinct operation states.
Determining and restricting system calls based on application operation state
An application container encapsulates an application and determines the current operation state, which is associated with an execution phase such as boot-up or running. Based on at least one filter for that state, the container determines allowable system calls for the current operation state and restricts other system calls associated with different operation states by enforcing the determined filter.
Apparatus for filtering system calls according to execution phase
An apparatus includes at least one processor and memory storing processor-executable instructions so that, when executed, the apparatus: determines the application's current operation state, determines allowable system calls for that state using a corresponding filter, and restricts other system calls linked to a different operation state, ensuring only required calls for the active phase are permitted.
Non-transitory computer-readable medium for dynamic system call filtering
A non-transitory computer-readable medium stores instructions which, when executed, cause one or more computing devices to: determine an application's operation state within a container, determine one or more allowable system calls for that state based on a filter, and restrict other system calls associated with different application states, ensuring phase-specific system call access.
The inventive features collectively establish a mechanism to dynamically determine and restrict system calls for applications in containers based on operation state, leveraging filters to provide phase-specific system call access.
Stated Advantages
Reduces the attack vector for malware by allowing only the specific system calls required for each application and operation state.
Provides a smaller set of available system calls compared to traditional approaches, minimizing security risks.
Does not require changes to the application container image, as profiling and constraint setting occur outside the container.
Allows dynamic adjustment of system call permissions as the application transitions between phases such as boot-up and running.
Documented Applications
Deployment of web applications using web server containers (e.g., nginx, Tomcat, httpd, php).
Deployment of data store containers (e.g., MySQL, Redis, MongoDB, Postgres).
Interested in licensing this patent?