HODOR: Reducing Attack Surface on via System Call Limitation

....To address the above challenges, we will present HODOR, a lightweight system call level protection mechanism designed for applications. HODOR begins with cross-language and combined static-dynamic call graph analysis for both applications and the framework. This step involves proposing optimizations to enhance state-of-the-art call graph building methods, static-dynamic call graph analysis, and consideration of built-in methods for JavaScript code, along with partial context-sensitive mechanisms for C/C code. HODOR then generates system call whitelists tailored to different types of threads within the framework. Finally, HODOR implements lightweight system call restrictions based on the Seccomp mechanism, specifically applied to various threads of at carefully chosen moments... By: Wang Gao , Dawu Gu , Xingwei Lin , Wenya Wang , Jingyi Wang Full Abstract and Presentation Materials: #hodor-reducing-attack-surface-on-nodejs-via-system-call-limitation-35216