Towards an automated generation of application confinement policies with binary analysis

Abstract

Application-based access control technologies are used to protect systems from malicious or compromised software. Existing rule-based access control systems rely on a comprehensive policy, which defines the resources an application is allowed to access. The generation of these policies is a hard and error-prone task for system engineers. In this work, we provide a framework to automate this task and a proof-of-concept implementation that uses binary analysis to generate a model of the resource requirements of an application. We use a new approach to refine the policy by connecting different accesses to the same resource via their least common ancestor (LCA) in the call graph. Moreover, we tested the proposed methods with a commonly used web-server and they show a high potential to significantly simplify the policy generation process.