System Call Interception Framework for Data Leak Prevention

In this paper, we describe the feasibility and practical study of the recently proposed idea for data leak prevention (DLP) based on end-point policy enforcement. The most reassuring way to prevent sensitive data leak is to thwart sensitive data export before it has a chance to occur. Using a System Call Interception (SCI) technique we investigate the possibility of automatically detecting and amending a non-desired, policy breaching behavior at the "intention" stage: as the corresponding system call is called by an application, but before the action has been accomplished. The SCI method is especially valuable for "black box" applications, for which source code is not available. In our system, we catalog the system calls involved in the DLP events, and reduce our SCI to the minimum necessary set of system calls associated with the sensitive, DLP-requiring tasks. We describe the system behavior for several different applications that we have studied to date.