Paladin: Helping Programs Help Themselves with Internal System Call Interposition

In large software systems some code may not be under the direct control of security conscious developers. This situation arises when dealing with third party libraries, plugins added by users, or code written by a large team’s novice programmer. Securing the whole system is difficult as an error in a library or a malicious plugin can compromise the entire program. To mitigate this, it is desirable for applications to sandbox their less trusted components. In this work we propose Paladin, a simple, lightweight kernel extension that allows application developers to specify security policies on sub-components of an application. Based on the observation that system calls are the only way to adversely affect the world outside of the program, Paladin policies restrict trusted modules by limiting their system call behavior. Policies are installed in layers—a vector of function pointers specifying the policy functions that guard each system call. Layers of policies can be dynamically pushed and popped via new kernel calls as applications enter and leave less trusted modules. Whenever the application makes a system call, the Paladin-enhanced kernel consults each installed policy vector to determine if the call should be permitted or denied.