site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Hi Darwin team, Michael Roitzsch _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... I am not sure, if this is the right place to discuss this, but it's the closest I have found. Please suggest other forums, if this is inappropriate here. I would like to suggest and discuss an enhancement to the "seatbelt" sandbox system that ships with Leopard. Currently, the sandbox seems to be merely a static system call filter. I think this already provides additional security for the processes using it and my guess is that Apple will extend this in future versions of Mac OS X. However I recently came across a technology that would in my opinion provide great benefit to seatbelt. The technology is called "model-carrying code" (MCC). The idea was published at the SOSP 2003 conference. The paper is available for download, for example here: http://seclab.cs.sunysb.edu/seclab1/pubs/papers/sosp03.pdf In a nutshell: This also implements a system call filter (that's why I think it fits seatbelt's model nicely), but instead of being a static filter, MCC provides stateful dynamic filtering. It has to be trained to capture an application's normal behavior (this could be supplemented with static code analysis) and can then be enabled to detect abnormal behavior (e.g. control flow taken over by an attacker) at runtime. It will catch more attack scenarios than a static filter. I just wanted to raise awareness of this technology amongst the Darwin hackers. Maybe someone thinks this is a nice idea. This email sent to site_archiver@lists.apple.com