Protecting the OS from buggy application code
We have developed tools that augment current C and C++ compilers with tools that add fine-grained whitelisting of OS call capabilities. The enhanced compiler is augmented with OS plugins that enforce the whitelisting instructions embedded in the program.
This mechanism is intended to improve the ability of programmers to write programs that are harder to exploit for the purpose of gaining illegitimate control over the OS.
Our work has proven effective in finding exploits in existing commercial code; while we do have a prototype system, we would like to continue building and enhancing it.