apiary easy to use desktop application fault containment
play

Apiary: Easy-to-Use Desktop Application Fault Containment on - PowerPoint PPT Presentation

Oct 27, 2022 •286 likes •793 views

Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems Shaya Potter and Jason Nieh June 23, 2010 USENIX ATC IBM Research Research performed at Columbia University Desktop Applications are Buggy! Desktop

  1. Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems Shaya Potter and Jason Nieh June 23, 2010 USENIX ATC IBM Research Research performed at Columbia University

  2. Desktop Applications are Buggy!  Desktop applications are prone to being exploited  Adobe Acrobat – multiples times in 2009-2010  PDF has dethroned MS Word documents as most common malware vector [F-Secure]  But why should this even be possible?  I want to view the PDF as a “read-only” item

  3. Approaches to Application Security  Access Control Systems  Ex: Janus, Systrace, SELinux…  Rewrite/Recompile Applications  Ex: Java, Google’s Native Client  Isolating Applications in Virtual Machines  Ex: VMware Unity

  4. Isolated VMs for each Application? Pros  No need to make complex rules  Exploited applications are isolated  Works with existing applications Cons  Exploited applications remain exploited  Significant runtime overhead  Lose integrated desktop feel  Increase management burden

  5. Apiary

  6. Desktop Applications are Isolated Web Office Documents E-Mail Banking / IM Media Finance

  7. Persistent Application Containers  Changes persist between application execution  Needed for persistent data  Quicken  Research Papers  But persistent data still needs to be isolated  Office documents have no need to access financial data in Quicken

  8. Apiary Retains Desktop Look and Feel

  9. Introduces Ephemeral Containers PDF PDF Media

  10. Ephemeral Application Containers  Compromises cannot persist  Protects from concurrent compromises  Protects privacy  Enables untrusted data to be viewed safely

  11. Problems to Solve  Exploited applications remain exploited  Significant overhead  Lose integrated desktop feel  Increase management burden

  12. Apiary’s Architecture 3 Components  OS Containers 1. Display Virtualization 2. Virtual Layered File System (VLFS) 3.

  13. OS Containers  OS Containers are prevalent on commodity OSs  Solaris Zones, Linux Containers/VServer  Low overhead  Quick to instantiate  Lower isolation than hardware VMs  Apiary can be used with hardware VMs if threat model requires it

  14. Problems to Solve  Exploited applications remain exploited  Significant overhead  Lose integrated desktop feel  Increase management burden

  15. Containers Integrated at Multiple Points Display 1. Inter-Application Execution 2. File System 3.

  16. Integrated Display Problem  Each container must have isolated displays  XSendEvent() / W32SendMessage() are vectors to exploit other running applications  But, need a single desktop environment Solution  Provide each container with its own virtual display server  Viewer composes together containers’ displays  Single display, menu, task bar

  17. Display Integration

  18. Integrated Applications Problem  Applications in different containers depend on each other  Firefox wants to run a PDF viewer or OpenOffice to view documents Solution  Applications can execute each other in an ephemeral helper mode

  19. Integrated Applications Web PDF Media PDF

  20. Integrated File System Problem:  Ephemeral helper applications are useless if data can’t be shared  How does Firefox pass the PDF file to the PDF viewer? Solution  Limited File System Integration  Protected/Shared “ /tmp ” for inter-application execution

  21. Integrated File System – /tmp /tmp firefox ooffice t-bird  Each container has its own directory under /tmp

  22. Integrated File System – /tmp /tmp firefox ooffice t-bird file.pdf  Each container uses that directory as its own temp directory  Firefox will save all temporary files to /tmp/firefox

  23. Integrated File System – /tmp /tmp firefox ooffice t-bird  But files are invisible to other containers

  24. Integrated File System – /tmp /tmp firefox ooffice t-bird file.pdf  Firefox will launch xpdf /tmp/firefox/file.pdf

  25. Integrated File System – /tmp /tmp firefox ooffice t-bird eph-xpdf file.pdf  Creates a new ephemeral container for Xpdf  Allows /tmp/firefox/file.pdf to be visible in the new ephemeral Xpdf container  Ephemeral Xpdf container executes program as called

  26. Integrated File System – Global View Problem  Files might need to be shared between isolated containers. Solution  File System Manager Container  Provides a global namespace view to move files between containers

  27. Problems to Solve  Exploited applications remain exploited  Significant overhead  Lose integrated desktop feel  Increase management burden

  28. Container Management Problems  How do we efficiently provision them?  How do we efficiently store them?  How do we efficiently get updates applied?

  29. Possible Approaches?  Package Management  COW Disks/File Systems

  30. Package Management Web PDF Office

  31. COW Disks/File Systems Template Image Web PDF Office Clone #1 Web PDF Office Web PDF Office Clone #2

  32. COW Disks/File Systems Template Image Web-v2 PDF Office Clone #1 Web PDF Office Web PDF Office Clone #2

  33. The Virtual Layered File System  Makes the FS a full partner with the package manager  Packages are transformed into a set of shared layers  Combine Unioning File System concepts with package management

  34. VLFS Example Layers Web Office LibC X11 Provisioned VLFSs Web Office Suite

  35. The VLFS/Software Appliance  VLFS defines Software Appliance

  36. How Apiary Uses the VLFS  Users install application appliances instead of individual applications  Predefined sets of layers  Able to be created by various organizations  Banks  ISVs  Appliances leverage global set of layers  Don’t need to manage systems from scratch

  37. How Does it Solve the Problems?  How do we efficiently provision them?  Shared Layers means no copying  Instantly able to create file systems for ephemeral execution  How do we efficiently store them?  Each common layer is only stored once, like a regular system  How do we efficiently get updates applied?  Update layer once in repository, able to be used by all application containers that depend on that layer

  38. Other VLFS Advantages  How do we make sure they are secure?  Dividing into layers isolates changes, makes malicious changes visible  Avoids “DLL Hell”  Each application container has its own independent set of shared libraries  Allows incompatible applications to be installed in same machine

  39. Problems to Solve  Exploited applications remain exploited  Significant overhead  Lose integrated desktop feel  Increase management burden

  40. Experimental Results

  41. Case Study #1 – Malicious PDF File  Traditional Desktop  Can destroy entire computer  Always viewed in ephemeral container  Attack succeeds  Doesn’t affect user

  42. Case Study #2 – Malicious Plugins  Traditional Computer – Persistent, invisible  Ephemeral Container  Doesn’t impact user beyond current ephemeral instance  Persistent Container – Worse  Does damage  Can have multiple Persistent Containers for similar programs  Similar to Red/Green Isolation  Can see if system programs were modified by looking at private layer

  43. Usage Study  24 Users performed tasks including:  E-mail  IMing  Web Browsing  Document editing  Three environments – Plain Linux, No Ephemeral Containers, Ephemeral Containers

  44. Usage Study  Task completion time was about the same in all containers  Users didn’t notice overhead of instantiating ephemeral containers  Users found environment easy to use

  45. Overhead as Containers Scale  25 parallel instances/containers running each test  Overhead generally minimal, even kernel build is only about 10%

  46. Quick Instantiation Firefox T-Bird OOffice Xpdf Mplayer Apiary .005s .005s .005s .005s .005s Create 276s 294s 365s 291s 294s Tar Extract 86s 87s 150s 81s 81s FS-Snap .016s .016s .016s .016s .016s  Why not use an FS with a snapshot/branching semantic (ZFS/Btrfs?)  Provisions basically as quick!  But, each FS once branched is independent Has to be managed independently! 

  47. Efficient Disk Usage Firefox T-Bird OOffice Xpdf Mplayer Size 353MB 367MB 645MB 339MB 355MB # Layer 129 125 186 130 162 Shared 330MB 335MB 329MB 330MB 326MB Unique 23MB 32MB 316MB 9MB 29MB Single FS Multiple FS VLFSs Size 743MB 2.1GB 743MB

  48. Fast File System Updates Traditional VLFS Time 18s 0.12s  Time is just for actual file system update  For machine maintenance in Apiary, machines can be offline which can add significant time to the traditional updates

  49. Conclusions  Apiary introduces a new compartmentalized application paradigm  Works with existing applications, without changes or recompilation  Introduces Ephemeral Containers to prevent compromises from persisting  VLFS enables simple container management  Low Overhead and Easy to Use

  50. Questions?  For more information http://www.ncl.cs.columbia.edu/ spotter@cs.columbia.edu spotter@us.ibm.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HIVE: Fault Containment for Shared-Memory Multiprocessors J. Chapin, M. Rosenblum, S. Devine, T.

HIVE: Fault Containment for Shared-Memory Multiprocessors J. Chapin, M. Rosenblum, S. Devine, T.

HIVE: Fault Containment for Shared-Memory Multiprocessors J. Chapin, M. Rosenblum, S. Devine, T. Lahiri, D. Teodosiu, A. Gupta CSE 598C Presented by: Sandra Rueda The Problem O.S. for managing FLASH architecture (large shared-memory

464 views • 22 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Geotechnical Desktop Study Borings >100 feet deep Water Well Logs Regional Geology Fault

Geotechnical Desktop Study Borings >100 feet deep Water Well Logs Regional Geology Fault

Geotechnical Desktop Study Borings >100 feet deep Water Well Logs Regional Geology Fault Mapping & Behavior Geotechnical Desktop Study Borings Identified >100 Feet Deep Faulting Grain Size Distribution Comparison Inverted Siphon

733 views • 30 slides
Protocols for Application and Desktop Sharing draft-lennox-avt-app-sharing-00 IETF AVT Working

Protocols for Application and Desktop Sharing draft-lennox-avt-app-sharing-00 IETF AVT Working

Protocols for Application and Desktop Sharing Audio/Video Transport Protocols for Application and Desktop Sharing draft-lennox-avt-app-sharing-00 IETF AVT Working Group Wednesday, March 9, 2005 Jonathan Lennox/Henning Schulzrinne/Jason

277 views • 17 slides
Apiary Program 2019 Jennifer Lund Maine State Apiarist Department of Agriculture, Conservation

Apiary Program 2019 Jennifer Lund Maine State Apiarist Department of Agriculture, Conservation

3 Apiary Program 2019 Jennifer Lund Maine State Apiarist Department of Agriculture, Conservation and Forestry Division of Animal and Plant Health Email: jennifer.lund@maine.gov Office: 207-287-7562 Cell: 207-441-5822 Apiary ry Program

682 views • 22 slides
Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application

Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application

Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application Tolerance in an Application Management Infrastructure Management Infrastructure Nikolay Topilski , Jeannie Albrecht, and Amin Vahdat Williams College

560 views • 18 slides
Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath

Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath

Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath University of Maryland Baltimore County presentation by Daniel Kellenberger 01.06.2010 Why Do We Need (Another) Fault Classification? Fault-based

647 views • 16 slides
C3D Viewer What is C3D Viewer? Test application for C3D Vision and C3D Converter Desktop

C3D Viewer What is C3D Viewer? Test application for C3D Vision and C3D Converter Desktop

C3D Viewer What is C3D Viewer? Test application for C3D Vision and C3D Converter Desktop application for end-users Embedded application for software developers Navigation Pan Rotate/Spin Zoom Zoom fit Standard views

310 views • 10 slides
Spectator: Detection and Containment of JavaScript Worms By Livshits & Cui Presented by

Spectator: Detection and Containment of JavaScript Worms By Livshits & Cui Presented by

Spectator: Detection and Containment of JavaScript Worms By Livshits & Cui Presented by Colin The Problem AJAX gives JS an environment nearly as flexible as a C/asm on a desktop OS Buffer overruns allow asm code injection

509 views • 32 slides
Spill Containment and Commerce www.containmentcorp.com (800) 235-7421 Executive Summary -What

Spill Containment and Commerce www.containmentcorp.com (800) 235-7421 Executive Summary -What

Spill Containment and Commerce www.containmentcorp.com (800) 235-7421 Executive Summary -What is Spill Containment, Secondary Containment and a Spill Prevention Plan -Marine Containment vs. Above-Ground Containment -Dangers of Spills, Costs,

636 views • 19 slides
LAMP Installation Ubuntu Desktop Overview These notes are for the easy installation of a LAMP

LAMP Installation Ubuntu Desktop Overview These notes are for the easy installation of a LAMP

LAMP Installation Ubuntu Desktop Overview These notes are for the easy installation of a LAMP server and phpmyadmin onto the Desktop environment with some additional notes on the php.ini file and MagicQuotes. For installation onto a Server

501 views • 17 slides
Easy, Scalable, Fault-tolerant Stream Processing with St Structured ed St Strea eamin ing

Easy, Scalable, Fault-tolerant Stream Processing with St Structured ed St Strea eamin ing

Easy, Scalable, Fault-tolerant Stream Processing with St Structured ed St Strea eamin ing Burak Yavuz DataEngConf NYC October 31 st 2017 Who am I Software Engineer Databricks - We make your

804 views • 66 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
OVERVIEW AnniList is a powerful tracking application that uses RFID/NFC technology with an easy

OVERVIEW AnniList is a powerful tracking application that uses RFID/NFC technology with an easy

OVERVIEW AnniList is a powerful tracking application that uses RFID/NFC technology with an easy to operate platform, allowing you to track just about anything protocol and process related - No more paper checklists or notepads - Easy-to-use

787 views • 10 slides
What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based Computing NOT good pen based apps! Richard Anderson CSE 481 B Winter 2007 What is a good UI? How do you measure it? Mechanical Properties

208 views • 8 slides
Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September

493 views • 45 slides
Monte Carlo (Helper Slides) Cosine Sampling Direct and Indirect Illumination Direct

Monte Carlo (Helper Slides) Cosine Sampling Direct and Indirect Illumination Direct

Monte Carlo (Helper Slides) Cosine Sampling Direct and Indirect Illumination Direct Illumination Area Light Sources Area Light Sources Area Light Sources Multiple Light Sources Other Light Source Samplings Computing Direct Illumination

275 views • 14 slides
Lessons Learned During the Implementation of the ralph@rccc.de BVR Wireless Sensor Network

Lessons Learned During the Implementation of the ralph@rccc.de BVR Wireless Sensor Network

Lessons Learned During the Implementation of the ralph@rccc.de BVR Wireless Sensor Network Protocol on SunSPOTs 1 The last session of the conference: Lessons Learned During the Implementation of the BVR Wireless Sensor Network Protocol on

506 views • 28 slides
Secret Shuffling: A Novel Approach to RFID Private Identification Claude Castelluccia and Mate

Secret Shuffling: A Novel Approach to RFID Private Identification Claude Castelluccia and Mate

Secret Shuffling: A Novel Approach to RFID Private Identification Claude Castelluccia and Mate Soos INRIA, 655 avenue de lEurope, Montbonnot, France { claude.castelluccia, mate.soos } @inrialpes.fr Abstract. This paper considers the problem of

514 views • 12 slides
A Review of 6LoWPAN Routing Protocols Gee Keng Ee*, Chee Kyun Ng, Nor Kamariah Noordin and

A Review of 6LoWPAN Routing Protocols Gee Keng Ee*, Chee Kyun Ng, Nor Kamariah Noordin and

Proceedings of the Asia Pacific Advanced Network A Review of 6LoWPAN Routing Protocols Gee Keng Ee*, Chee Kyun Ng, Nor Kamariah Noordin and Borhanuddin Mohd. Ali Department of Computer and Communication Systems, Faculty of Engineering,

762 views • 11 slides
pTHINC Better web browsing on your mobile device Joeng Kim Ricardo Baratto Jason Nieh Columbia

pTHINC Better web browsing on your mobile device Joeng Kim Ricardo Baratto Jason Nieh Columbia

pTHINC Better web browsing on your mobile device Joeng Kim Ricardo Baratto Jason Nieh Columbia University, USA Outline Mobile Web Browsers Problem Alternative: Thin Clients Usability Visual Comparison Measurements

616 views • 25 slides
A Framework for Modeling and A Framework for Modeling and Optimization of Prescient Instruction

A Framework for Modeling and A Framework for Modeling and Optimization of Prescient Instruction

A Framework for Modeling and A Framework for Modeling and Optimization of Prescient Instruction Optimization of Prescient Instruction Prefetch Prefetch ACM Sigmetrics Sigmetrics 2003 2003 June 12, 2003 June 12, 2003 ACM Tor M.

388 views • 25 slides
Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU

Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU

Distributed HPC Applications with Unprivileged Containers Felix Abecassis, Jonathan Calmels GPU Computing NVIDIA Beyond video games AUTONOMOUS MACHINES VIRTUAL REALITY SCIENTIFIC COMPUTING MACHINE LEARNING GPU COMPUTING 2 Infrastructure at

669 views • 28 slides
Effective conversations Part 5: Deep Canvassing Elizabeth Erickson OFA Training Director /

Effective conversations Part 5: Deep Canvassing Elizabeth Erickson OFA Training Director /

Effective conversations Part 5: Deep Canvassing Elizabeth Erickson OFA Training Director / Adrienne Lever Swing Left Campaign Director Brandyn Keating United Citizen Power Founding Director / Michelle Villegas Regional Organizing Manager We will

383 views • 34 slides

More recommend