Nerus - A Model for Self-Restrictive Native Code
Itay Itzhaky, TAU
Protecting systems from attacks that exploit security vulnerabilities in third party applications or the OS services themselves is a notoriously hard problem. Modern operating systems currently provide only few basic protection mechanisms, mainly for protecting from memory corruption vulnerabilities and limiting access of executing code to the underlying system. The mechanisms for handling memory corruption have many limitations and there are well known techniques for bypassing them altogether. Likewise, The mechanisms for limiting access are based on global security policies that treat application code as blackbox. Global policies tend to be rather coarse, resulting in either over-permissiveness (hence enabling attacks) or over-restrictiveness (thereby interrupting normal behavior).
This work describes the design, implementation, and evaluation of Nerus, a security enhancement for operating systems and native code programming languages. Nerus allows programmers to embed in their code whitelist security policies that dene its expected runtime behavior. The policies are dened in the source code itself. They are compiled normally, and ultimately stored in the output executable image. At runtime, the OS uses the stored policies to determine which privileges to grant for the code. By default, the OS executes the code with least privileges; Elevation of privileges is performed on demand, and only if a previously dened policy allows it. Policies in Nerus are dened locally and hence can target exclusively a very specic portion of the code, and be signicantly more ne grained. The policy language we use is simple. Yet, we argue (based on our experiments) that it is expressive enough for most uses, and show its
applicability for three popular real world, open-source softwares. Security policies are generally aimed at protecting from logical attacks and limiting the potential system-wide damage that the execution of native code might entail. In Nerus we leverage them also to improve existing protections from code injection and code reusing attacks.
We implemented a prototype of Nerus for Windows OS and for the C/C++ programming language. The implementation was feasible with only minor modications to the OS kernel (a single driver), and with no modications at all to the programming language compiler. We experiment with this prototype and show that it is practical and highly eective, and that the performance overheads are negligible.