PhD Seminar • Systems and Networking • PLOX: Fine-grained System Call Debloating Using Dynamic Capabilities

Friday, November 10, 2023 2:00 pm - 3:00 pm EST (GMT -05:00)

Please note: This PhD seminar will take place online.

Ryan Hancock, PhD candidate
David R. Cheriton School of Computer Science

Supervisor: Professor Ali Mashtizadeh

Containers are a popular lightweight tool for the isolation of applications, however are prone to vulnerabilities within the kernel. Attackers use system calls to exploit these vulnerabilities to break isolation. A common strategy for containers to mitigate these attacks is to use coarse grained system call allow/deny lists to harden their containers, however, attacks still have the ability to weave arguments to common system calls to trigger vulnerabilities.

We introduce PLOX, a lightweight container that runs unmodified C/C++ and uses our novel dynamic capabilities model to bind application resources to the system call and its arguments. With this model, we disallow any arguments not allowed in our fine-grained policy. Standard capabilities are far too coarse grained, leading to overpermissioning and the lack of ability to revoke capabilities once granted. As dynamic capabilities are resource centric, we have further context on what resources actually are. This allows secondary policies to be allowed during runtime and provide hints to the system on resources such as sensitive files. Dynamic capabilities can use these secondary policies to revoke capabilities previously given based on these rules.

We show PLOX’s dynamic capabilities are able to reduce the attack surface of the kernel on average by 73% across 16 common system calls over existing debloating techniques, with overheads similar to seccomp of around 4%.


Bio: I’m a 6th year PhD Student at the University of Waterloo, doing research at the RCS Lab. My current research explores various areas within serverless and storage. I have done modeling work for serverless workloads, looked into better isolation mechanisms for OS containers. I also built a copy-on-write checkpointing storage system to support our single level store built, Aurora.