AMPLE: Fine-grained File Access Policies for Server Applications

Userspace programs depend heavily on operating system resources to execute correctly, with file access being one of the most common and critical use cases. Modern Linux distributions include a vast number of files, many of which are unnecessary for the operation of most programs. However, existing access control mechanisms typically enforce coarse-grained policies that allow programs to access far more files than they actually require. This over-permissiveness significantly increases the system’s attack surface, exposing sensitive resources to potential exploitation.In this paper, we introduce AMPLE (Automated MAC PoLicy Extraction), a versatile tool that integrates both static and dynamic analysis to identify the files required by server applications. Ample accomplishes this by leveraging the distinct phases of server application execution, extracting runtime-dependent file paths by executing only the program’s initialization phase. This novel approach addresses the limitations of relying exclusively on static analysis, which fails to identify runtime-dependent file paths, as well as the shortcomings of purely dynamic analysis, which overlooks file paths accessed in non-executed code paths. To demonstrate its effectiveness, we evaluated Ample on ten widely-used server applications. The results show that Ample significantly reduces the number of accessible files, achieving an average reduction of over 99%, and limiting access to an average of fewer than 254 files per application. This substantial reduction helps restrict access to numerous security-critical files and mitigates 13 Linux kernel CVEs.