{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T01:34:04Z","timestamp":1773192844233,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2013,4,15]],"date-time":"2013-04-15T00:00:00Z","timestamp":1365984000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000144","name":"Division of Computer and Network Systems","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000144","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000181","name":"Air Force Office of Scientific Research","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000181","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2013,4,15]]},"DOI":"10.1145\/2465351.2465358","type":"proceedings-article","created":{"date-parts":[[2013,4,17]],"date-time":"2013-04-17T19:57:35Z","timestamp":1366228655000},"page":"57-70","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Process firewalls"],"prefix":"10.1145","author":[{"given":"Hayawardh","family":"Vijayakumar","sequence":"first","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Joshua","family":"Schiffman","sequence":"additional","affiliation":[{"name":"Advanced Micro Devices"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Trent","family":"Jaeger","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2013,4,15]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"audit2allow. http:\/\/fedoraproject.org\/wiki\/SELinux\/audit2allow.  audit2allow. http:\/\/fedoraproject.org\/wiki\/SELinux\/audit2allow."},{"key":"e_1_3_2_1_2_1","volume-title":"http:\/\/httpd.apache.org\/docs\/2.2\/misc\/perf-tuning.html#symlinks","author":"Tuning Apache Performance","year":"2012","unstructured":"Apache Performance Tuning . http:\/\/httpd.apache.org\/docs\/2.2\/misc\/perf-tuning.html#symlinks , 2012 . Apache Performance Tuning. http:\/\/httpd.apache.org\/docs\/2.2\/misc\/perf-tuning.html#symlinks, 2012."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.22"},{"key":"e_1_3_2_1_5_1","volume-title":"Spring","author":"Bishop M.","year":"1996","unstructured":"M. Bishop and M. Digler . Checking for race conditions in file accesses. Computer Systems, 9(2) , Spring 1996 . M. Bishop and M. Digler. Checking for race conditions in file accesses. Computer Systems, 9(2), Spring 1996."},{"key":"e_1_3_2_1_6_1","volume-title":"USENIX Security '06","author":"Borisov N.","year":"2005","unstructured":"N. Borisov , R. Johnson , N. Sastry , and D. Wagner . Fixing races for fun and profit: How to abuse atime . In USENIX Security '06 , 2005 . N. Borisov, R. Johnson, N. Sastry, and D. Wagner. Fixing races for fun and profit: How to abuse atime. In USENIX Security '06, 2005."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.10"},{"key":"e_1_3_2_1_8_1","volume-title":"NDSS '10","author":"Chari S.","year":"2010","unstructured":"S. Chari , S. Halevi , and W. Venema . Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation . In NDSS '10 , 2010 . S. Chari, S. Halevi, and W. Venema. Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation. In NDSS '10, 2010."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2007.65"},{"key":"e_1_3_2_1_10_1","volume-title":"Firewalls and Internet security: repelling the wily hacker","author":"Cheswick W. R.","year":"1994","unstructured":"W. R. Cheswick and S. M. Bellovin . Firewalls and Internet security: repelling the wily hacker . Addison-Wesley Longman , 1994 . W. R. Cheswick and S. M. Bellovin. Firewalls and Internet security: repelling the wily hacker. Addison-Wesley Longman, 1994."},{"key":"e_1_3_2_1_11_1","volume-title":"USENIX SSYM","author":"Cowan C.","year":"2001","unstructured":"C. Cowan , S. Beattie , C. Wright , and G. Kroah-hartman . Raceguard: Kernel protection from temporary file race vulnerabilities . In USENIX SSYM , 2001 . C. Cowan, S. Beattie, C. Wright, and G. Kroah-hartman. Raceguard: Kernel protection from temporary file race vulnerabilities. In USENIX SSYM, 2001."},{"key":"e_1_3_2_1_12_1","unstructured":"Cryogenic-Sleep. Symlinks and Cryogenic Sleep. http:\/\/seclists.org\/bugtraq\/2000\/Jan\/16 2000.  Cryogenic-Sleep. Symlinks and Cryogenic Sleep. http:\/\/seclists.org\/bugtraq\/2000\/Jan\/16 2000."},{"key":"e_1_3_2_1_13_1","volume-title":"http:\/\/cve.mitre.org\/","author":"CVE.","year":"2012","unstructured":"CVE. Common vulnerabilities and exposures. http:\/\/cve.mitre.org\/ , 2012 . CVE. Common vulnerabilities and exposures. http:\/\/cve.mitre.org\/, 2012."},{"key":"e_1_3_2_1_14_1","volume-title":"http:\/\/cwe.mitre.org\/","author":"CWE.","year":"2012","unstructured":"CWE. Common weakness enumeration. http:\/\/cwe.mitre.org\/ , 2012 . CWE. Common weakness enumeration. http:\/\/cwe.mitre.org\/, 2012."},{"key":"e_1_3_2_1_15_1","unstructured":"CWE-22. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). http:\/\/cwe.mitre.org\/data\/definitions\/22.html 2012.  CWE-22. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). http:\/\/cwe.mitre.org\/data\/definitions\/22.html 2012."},{"key":"e_1_3_2_1_16_1","volume-title":"USENIX Security","author":"David","year":"2002","unstructured":"David S. Peterson and Matt Bishop and Raju P. A flexible containment mechanism for executing untrusted code . In USENIX Security , 2002 . David S. Peterson and Matt Bishop and Raju P. A flexible containment mechanism for executing untrusted code. In USENIX Security, 2002."},{"key":"e_1_3_2_1_17_1","volume-title":"USENIX Security","author":"Dean D.","year":"2004","unstructured":"D. Dean and A. Hu . Fixing races for fun and profit . In USENIX Security , 2004 . D. Dean and A. Hu. Fixing races for fun and profit. In USENIX Security, 2004."},{"key":"e_1_3_2_1_18_1","volume-title":"IEEE SSP '04","author":"Feng H. H.","year":"2004","unstructured":"H. H. Feng , J. T. Giffin , Y. Huang , S. Jha , W. Lee , and B. P. Miller . Formalizing sensitivity in static analysis for intrusion detection . In IEEE SSP '04 , 2004 . H. H. Feng, J. T. Giffin, Y. Huang, S. Jha, W. Lee, and B. P. Miller. Formalizing sensitivity in static analysis for intrusion detection. In IEEE SSP '04, 2004."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.5555\/1947337.1947356"},{"key":"e_1_3_2_1_20_1","volume-title":"NDSS","author":"Garfinkel T.","year":"2003","unstructured":"T. Garfinkel . Traps and pitfalls: Practical problems in in system call interposition based security tools . In NDSS , 2003 . T. Garfinkel. Traps and pitfalls: Practical problems in in system call interposition based security tools. In NDSS, 2003."},{"key":"e_1_3_2_1_21_1","volume-title":"NDSS","author":"Garfinkel T.","year":"2004","unstructured":"T. Garfinkel , B. Pfaff , and M. Rosenblum . Ostia: A delegating architecture for secure system call interposition . In NDSS , 2004 . T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In NDSS, 2004."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/11663812_10"},{"key":"e_1_3_2_1_23_1","volume-title":"USENIX Security '96","author":"Goldberg I.","year":"1996","unstructured":"I. Goldberg , D. Wagner , R. Thomas , and E. A. Brewer . A secure environment for untrusted helper applications . In USENIX Security '96 , 1996 . I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications. In USENIX Security '96, 1996."},{"key":"e_1_3_2_1_24_1","volume-title":"USENIX Security","author":"Jaeger T.","year":"2003","unstructured":"T. Jaeger , R. Sailer , and X. Zhang . Analyzing Integrity Protection in the SELinux Example Policy . In USENIX Security , 2003 . T. Jaeger, R. Sailer, and X. Zhang. Analyzing Integrity Protection in the SELinux Example Policy. In USENIX Security, 2003."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/996943.996944"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294293"},{"key":"e_1_3_2_1_27_1","volume-title":"Capability-based Computer Systems","author":"Levy H. M.","year":"1984","unstructured":"H. M. Levy . Capability-based Computer Systems . Digital Press , 1984 . H. M. Levy. Capability-based Computer Systems. Digital Press, 1984."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1147\/sj.133.0230"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382536.2382541"},{"key":"e_1_3_2_1_30_1","unstructured":"Novell. AppArmor Linux Application Security. http:\/\/www.novell.com\/linux\/security\/apparmor\/.  Novell. AppArmor Linux Application Security. http:\/\/www.novell.com\/linux\/security\/apparmor\/."},{"key":"e_1_3_2_1_31_1","unstructured":"NSA. SELinux 2012. http:\/\/www.nsa.gov\/selinux.  NSA. SELinux 2012. http:\/\/www.nsa.gov\/selinux."},{"key":"e_1_3_2_1_32_1","volume-title":"LKML: kernel: backtrace unwind support. https:\/\/lkml.org\/lkml\/2012\/2\/10\/129","author":"Olsa J.","year":"2012","unstructured":"J. Olsa . LKML: kernel: backtrace unwind support. https:\/\/lkml.org\/lkml\/2012\/2\/10\/129 , 2012 . J. Olsa. LKML: kernel: backtrace unwind support. https:\/\/lkml.org\/lkml\/2012\/2\/10\/129, 2012."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.11"},{"key":"e_1_3_2_1_34_1","volume-title":"USENIX Security","author":"Provos N.","year":"2003","unstructured":"N. Provos . Improving host security with system call policies . In USENIX Security , 2003 . N. Provos. Improving host security with system call policies. In USENIX Security, 2003."},{"key":"e_1_3_2_1_35_1","volume-title":"USENIX Security","author":"Provos N.","year":"2003","unstructured":"N. Provos , M. Friedl , and P. Honeyman . Preventing privilege escalation . In USENIX Security , 2003 . N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In USENIX Security, 2003."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1975.9939"},{"key":"e_1_3_2_1_37_1","volume-title":"A fast automaton-based method for detecting anomalous program behaviors","author":"Sekar R.","year":"2001","unstructured":"R. Sekar , M. Bendre , D. Dhurjati , and P. Bollineni . A fast automaton-based method for detecting anomalous program behaviors . In IEEE SS &P '01, 2001 . R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In IEEE SS&P '01, 2001."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945448"},{"key":"e_1_3_2_1_39_1","volume-title":"USENIX FAST","author":"Tsafrir D.","year":"2008","unstructured":"D. Tsafrir , T. Hertz , D. Wagner , and D. Da Silva . Portably solving file TOCTTOU races with hardness amplification . In USENIX FAST , 2008 . D. Tsafrir, T. Hertz, D. Wagner, and D. Da Silva. Portably solving file TOCTTOU races with hardness amplification. In USENIX FAST, 2008."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2414456.2414500"},{"key":"e_1_3_2_1_41_1","volume-title":"USENIX Security","author":"Vijayakumar H.","year":"2012","unstructured":"H. Vijayakumar , J. Schiffman , and T. Jaeger . STING: Finding Name Resolution Vulnerabilities in Programs . In USENIX Security , 2012 . H. Vijayakumar, J. Schiffman, and T. Jaeger. STING: Finding Name Resolution Vulnerabilities in Programs. In USENIX Security, 2012."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"e_1_3_2_1_43_1","volume-title":"USENIX Security","author":"Watson R. N. M.","year":"2010","unstructured":"R. N. M. Watson , J. Anderson , B. Laurie , and K. Kennaway . Capsicum: practical capabilities for UNIX . In USENIX Security , 2010 . R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: practical capabilities for UNIX. In USENIX Security, 2010."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2010.09.004"},{"key":"e_1_3_2_1_45_1","volume-title":"USENIX Security","author":"Wright C.","year":"2002","unstructured":"C. Wright , C. Cowan , and J. Morris . Linux security modules: General security support for the Linux kernel . In USENIX Security , 2002 . C. Wright, C. Cowan, and J. Morris. Linux security modules: General security support for the Linux kernel. In USENIX Security, 2002."},{"key":"e_1_3_2_1_46_1","volume-title":"OSDI","author":"Zeldovich N.","year":"2006","unstructured":"N. Zeldovich , S. Boyd-Wickizer , E. Kohler , and D. Mazi\u00e8res . Making information flow explicit in HiStar . In OSDI , 2006 . N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazi\u00e8res. Making information flow explicit in HiStar. In OSDI, 2006."},{"key":"e_1_3_2_1_47_1","volume-title":"USENIX Security","author":"Zhang X.","year":"2002","unstructured":"X. Zhang , A. Edwards , and T. Jaeger . Using CQUAL for static analysis of authorization hook placement . In USENIX Security , 2002 . X. Zhang, A. Edwards, and T. Jaeger. Using CQUAL for static analysis of authorization hook placement. In USENIX Security, 2002."}],"event":{"name":"EuroSys '13: Eighth Eurosys Conference 2013","location":"Prague Czech Republic","acronym":"EuroSys '13","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"]},"container-title":["Proceedings of the 8th ACM European Conference on Computer Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2465351.2465358","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2465351.2465358","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T08:39:36Z","timestamp":1750235976000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2465351.2465358"}},"subtitle":["protecting processes during resource access"],"short-title":[],"issued":{"date-parts":[[2013,4,15]]},"references-count":46,"alternative-id":["10.1145\/2465351.2465358","10.1145\/2465351"],"URL":"https:\/\/doi.org\/10.1145\/2465351.2465358","relation":{},"subject":[],"published":{"date-parts":[[2013,4,15]]},"assertion":[{"value":"2013-04-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}