Host-based Intrusion Prevention
Here are slides to my Defcon talk about work on host-based Intrusion Prevention for FreeBSD.
The kernel code for:
Compared to sandboxing using jails and chroots, Intrusion Prevention offers much finer grained control of an application's access to the interface to the kernel. Jails and chroots are popular methods of hardening web services, beyond what the application's configuration itself allows. They provide a restricted view of the file system and devices. In contrast, Intrusion Prevention provides fine grained control or argument filtering for specified system calls..
For example, Intrusion Prevention can be used to blacklist certain systems calls or certain argument values. It can specify that a service can fork processes as any user except root. Or, a process running as a normal user can open a specified socket as root, thereby avoiding the need to run it as root. Or, a process can read any file except /etc.
Better yet, one can create a "default deny" white-list by monitoring an application to observe all the system calls it makes under normal circumstances. White lists can be tuned and exchanged just like firewall rules. In that sense, one can view Intrusion Prevention as a sort of firewall for messages between user applications and the kernel.