Component-Oriented Monitoring of Binaries for Security

Security monitoring systems operate typically at the process level. Various authors have indicated that monitoring at a finer level of granularity than the process is highly desirable. In this paper, we introduce COMB, a framework for imposing policies to confine the behavior of applications. Unlike previous approaches, our technique is applied per component (functions, libraries, and/or plugins) while requiring only the availability of the binary executable form of the program. To demonstrate the feasibility of COMB, we report a case study on a real-world, representative program, the Firefox web browser. Two characteristics of Firefox permit possibly untrusted code to be executed. First, it provides an extensible architecture to allow third-party developers to extend its functionality, and second it makes use of more than 150 external libraries. Using a simple system-call monitoring policy applied to Firefox plugins, we show that COMB can provide protection with reasonable overhead.