In this proposal we present two reference monitors targeting these shortcomings. We demonstrate the design, implementation, and evaluation of Guardat and ERIM.
The policies protecting persistent data and the mechanisms for their enforcement are spread over many software components and configuration files, increasing the risk of policy violation due to bugs, vulnerabilities and misconfiguration. In Guardat users, developers and administrators specify file protection policies declaratively, concisely and separate from code, and Guardat enforces these policies by mediating I/O in the storage layer. Policy enforcement relies only on the integrity of the Guardat controller and any external policy dependencies. We show experimentally that Guardat overhead is low.
While Guardat enforces at the storage layer, it cannot enforce policies over in-memory state of untrusted applications. In contrast to existing techniques, ERIM efficiently mediates an application’s execution by isolating a reference monitor in the same address space. By using Intel Memory Protection Keys in combination with static binary rewriting, ERIM isolates the monitor’s state from strong, malicious adversaries. We propose binary rewriting rules to harden existing executable files and detail use cases in which prior art relied on less robust protection at similar performance.