Sandboxing PHP Applications with Tailored System Call Allowlists
The main idea of software debloating is to reduce software's attack surface by removing pieces of code that are not required by users. In this study, we identify the current challenges with applying the principle of least privilege(PoLP) to interpreted PHP applications, and propose a novel generic approach to derive system-call policies automatically for individual interpreted programs. Our evaluation shows that Saphire can successfully prevents 21 historic remote code execution(RCE) exploits with negligible performance overhead (i.e., <2% in the worst case)
The paper is available at https://www.usenix.org/system/files/sec21summer_bulekov.pdf
This system is comprised of three steps:
We are a team of security researchers at SecLab, Boston University (https://seclab.bu.edu/).
For any queries or questions contact Alexander Bulekov at [email protected] or Rasoul Jahanshahi at [email protected]