application level sandboxing
play

Application-level sandboxing Erik Poll 1 Overview 1. - PowerPoint PPT Presentation

Feb 04, 2024 •215 likes •909 views

Software Security Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access control compartmentalisation between processes Chapter 2 of lecture notes 3. Language-level access control

  1. Software Security Application-level sandboxing Erik Poll 1

  2. Overview 1. Compartmentalisation 2. Classic OS access control compartmentalisation between processes • Chapter 2 of lecture notes • 3. Language-level access control • compartmentalisation within a process • by sandboxing support in safe programming languages notably Java and .NET • Chapter 4 of lecture notes • 4. Hardware-based sandboxing • compartmentalisation within a process, also for unsafe languages 2

  3. 1. Compartmentalisation / isolation / sandboxing 3

  4. Compartmentalisation in ships 4

  5. Titanic Does this mean compartmentalising is a bad idea? No, but the attacker model was wrong. Making vessel double-hulled would have been a better form of • compartmentalising. 5

  6. Compartmentalisation examples Compartmentalisation can be applied on many levels In an organisation • – eg terrorist cells in Al Qaida or extreme animal rights group In an IT system • – eg different machines for different tasks On a single computer, eg • – different processes for different tasks – different user accounts for different task – use virtual machines to isolate tasks – partition your hard disk & install two OSs Focus Inside a program / application / app / process • of today – different ‘modules’ with different tasks 6

  7. Compartmentalisation example: SIM card in phone A SIM provides some trusted functionality (with a small TCB) to a larger untrusted application (with a larger TCB) untrusted usted calls appli lica cation ion truste sted func nctionali tionality ty OS OS main n CPU 7

  8. Isolation vs CIA Isolation is a useful security property for programs and processes • (i.e. program in execution) • ‘isolation’ can be broken down into a combination of confidentiality & integrity of data & code, but that becomes conceptually less clear 8

  9. Two use cases for compartments Compartmentalisation is good to isolate different trust levels 1. to contain a untrusted process from attacking others • aka sandboxing “ platform ” 2. to protect a trusted process from outside attacks “ platform ” • Here, it makes sense to apply it recursively 9

  10. Compartmentalisation Important questions to ask about any form of compartmentalisation What is the Trusted Computing Base (TCB) ? • – Compartmentalising critical functionality inside a trusted process reduces the TCB for that functionality inside that process, but increases the TCB with the TCB of the enforcement mechanism Can the compartmentalisation be controlled by policies? • – How expressive & complex are these policies? – Expressivity can be good, but resulting complexity can be bad… What are input & output channels? • – We want exposed interfaces to be as simple, small, and just powerful enough Are there any hidden channels? Eg timing behaviour • – These can be used deliberately, as covert channels, or exist by accident, as side channels 10

  11. Access control Some compartments offer access control that can be configured It involves 1. Rights/permissions 2. Parties (eg. users, processes, components) 3. Policies that give rights to parties – specifying who is allowed to do what 4. Runtime monitoring to enforce policies, which becomes part of the TCB 11

  12. Compartmentalisation for security design 1. Divide systems into chunks – aka compartments, components, … Different compartments for different tasks 2. Give minimal access rights to each compartment aka principle of least privilege 3. Have strong encapsulation between compartments so flaw in one compartment cannot corrupt others 4. Have clear and simple interfaces between compartments exposing minimal functionality Benefits: a. Reduces TCB for certain security-sensitive functionality b. Reduces the impact of any security flaws. 12

  13. 2. Operating System (OS) Access Control See also Chapter 2 of the lecture notes 13

  14. Classical OS-based security (reminder) process access process B control A rights & policies OS (incl. file system) Hardware (CPU, memory, I/O peripherals) 14

  15. Signs of OS access control 15

  16. Problems with OS access control hu huge 1. Size of the TCB The Trusted Computing Base for OS access control is so there will be security flaws in the code. The only safe assumption: a malicious user process on a typical OS (Linux, Windows, BSD, iOS, Android, ...) will be able to get superuser/root/administrator rights. 2. Too much complexity The languages to express access control policy are very complex, so people will make mistakes 3. Not enough expressivity / granularity Eg the OS cannot do access control within process, as processes as the ‘ atomic ’ units Note: fundamental conflict between the need for expressivity and the desire to keep things simple 16

  17. Example complexity problem (resulting in privilege escalation) UNIX access control uses 3 permissions ( rwx ) for 3 categories of users ( owner,group,others ), for files & directories. Windows XP uses 30 permissions, 9 categories of users, and 15 kinds of objects. Example common configuration flaw in XP access control, in 4 steps: 1. Windows XP uses Local Service or Local System services for privileged functionality (where UNIX uses setuid binaries) 2. The permission SERVICE_CHANGE_CONFIG allows changing the executable associated with a service 3. But... it also allows to change the account under which it runs , incl. to Local System , which gives maximum root privileges. 4. Many configurations mistakenly grant SERVICE_CHANGE_CONFIG to all Authenticated Users ... 17

  18. Privilege escalation in Windows XP Unintended privilege escalation due to misconfigured access rights of standard software packages in Windows XP: [S. Govindavajhala and A.W. Appel, Windows Access Control Demystified, 2006] Moral of the story (1) : KEEP P IT SIMPLE MPLE Moral of the story (2) : If it is not simple, ple, check eck the details tails 18

  19. chroot jail chroot - change root - is nice example of compartmentalisation (of file system) in UNIX/Linux: restricts access of a process to a subset of file system, ie. changes • the root of file system for that process • Eg running an application you just downloaded with chroot /home/sos/erik/trial ; /tmp restricts access to just these two directories Using traditional OS access control permissions for this would be very • tricky! It would require getting permissions right all over the file system. 19

  20. Limits in granularity OS can ’ t distinguish components within process, so can ’ t differentiate access control for them, or do access control between them process A process B ? trusted sted untrus usted ted module ule B module ule A ? ? ? Operating System Hardware (CPU, memory, I/O peripherals) 20

  21. Limitation of classic OS access control • A process has a fixed set of permissions. Usually, all permissions of the user who started it • Execution with reduced permission set may be needed temporarily when executing untrusted or less trusted code. For this OS access control may be too coarse. Remedies/improvements • Allowing users to drop rights when they start a process • Asking user approval for additional permissions at run-time • Using different user accounts for different applications, as Android does • Split a process into multiple processes with different access rights 21

  22. Example: compartmentalisation in Chrome The Chrome browser process is split into multiple OS processes rende dering ring engin ine: e: rende dering ring engin ine: e: One rendering engine per tab, rende dering ring engin ine: e: handling HTML, CSS rende dering ring engine: ine: plus one for trusted content handling HTML, CSS handling HTML, CSS javascript, XML, DOM, (eg HTTPS certificate warnings) handling HTML, CSS javascript, XML, DOM, javascript, XML, DOM, rendering javascript, DOM, rendering rendering No access to local file system rendering images and to each other brows owser er kernel: nel: One browser kernel cookie & passwd database, network with full user privileges stack, TLS, window management (Complex!) rendering engine is black box for browser kernel • Plugins also run as different processes • Running a new process per domain can enforce the restrictions of the • SOP (Same Origin Policy ) Advantage: TCB for certain operations drastically reduced • 22

  23. 2. Language-level access control Chapter 4 of the lecture notes 23

  24. Access control at the language level In a safe programming language, access control can be provided within a process, at language-level, because interactions between components can be restricted & controlled process trusted sted untrusted usted module ule A module ule B This makes it possible to have security guarantees in the presence of untrusted code (which could be malicious or just buggy) • Without memory-safety, this is impossible. Why? Because B can access any memory used by A Without type-safety, it is hard. Why? • Because B can pass ill-typed arguments to A's interface 24

  25. Language-level sandboxing process A process B trusted sted untrus usted ted module ule A module ule B Execution engine (eg Java or . NET VM) Operating System Hardware (CPU, memory, I/O peripherals) 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented

Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented

Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented by: Ashwin Chaugule 26th Sept 2008 Area Systems security: Application Virtualization USENIX 08 - Best Student Paper Source code:

427 views • 28 slides
Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize

789 views • 61 slides
MPI is too High-Level MPI is too Low-Level Marc Snir High-Level MPI MPI is an Application

MPI is too High-Level MPI is too Low-Level Marc Snir High-Level MPI MPI is an Application

MPI is too High-Level MPI is too Low-Level Marc Snir High-Level MPI MPI is an Application Programming Application Application Interface from MPI-1.0:``Design an application MPI programming interface (not necessarily for

561 views • 19 slides
Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz http://www.batchgeo.com Remote Sandboxing? Students' interpreters g r a d e . r k t 1 6 0 0 t i m e s ? Students' interpreters g r a d e

446 views • 15 slides
Objectives An ASIC application MSDAP Analyze the application requirement System

Objectives An ASIC application MSDAP Analyze the application requirement System

Objectives An ASIC application MSDAP Analyze the application requirement System level setting of an application Define operation mode Define signals and pins Top level model Write a specification When addressing

681 views • 53 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat

Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat

Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat Rashid, Bozhidar Lenchov, Kush Dua Motivation Loss of data detrimental to productivity and motivation Code/configuration/operator errors could

685 views • 14 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty Glick Senior Climate Adaptation Specialist National Wildlife Federation Overview of Sea-Level Rise Subsidence, tectonic Ocean circulation

518 views • 21 slides
Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder

Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder

Sandboxing & Virtualization: Modern Tools for Combating Malware Anup K. Ghosh, PhD Founder anup@invincea.com www.invincea.com Research Professor Center for Secure Information Systems George Mason University May 2010 The User IS the

479 views • 20 slides
Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class

Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class

Sandboxing 1 logistics CHALLENGE assignment take-home portion of the fjnal next class fjnal exam review 2 CHALLENGE (1) expect to release before Saturday; due by written fjnal probably complete all but two fjve of seven or four of

848 views • 66 slides
Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood

Border Control: Sandboxing Accelerators L. E. Olson, Jason Power, Mark. D. Hill and David A.Wood University of Wisconsin-Madison Presented by : Yash Bhalgat, Arun Subramaniyan Key Id Ideas and goals Sharing memory between host and

596 views • 21 slides
NELLIS AFB TRAUMA LEVEL III Headquarters U.S. Air Force APPLICATION I n t e g r i t y - S e r v

NELLIS AFB TRAUMA LEVEL III Headquarters U.S. Air Force APPLICATION I n t e g r i t y - S e r v

NELLIS AFB TRAUMA LEVEL III Headquarters U.S. Air Force APPLICATION I n t e g r i t y - S e r v i c e - E x c e l l e n c e Mike OCallaghan Military Medical Center Colonel Alfred K. Flowers Jr. Commander & CEO Proposal Overview-

535 views • 17 slides
Take Your Level 2s Up a Notch: Start Measuring Application Not Just Recall Presented by: Ken

Take Your Level 2s Up a Notch: Start Measuring Application Not Just Recall Presented by: Ken

Take Your Level 2s Up a Notch: Start Measuring Application Not Just Recall Presented by: Ken Phillips Phillips Associates February 9, 2016 Phillips Associates 1 Agenda 1. Examine Level 2 evaluation facts 2. Analyze test creation errors in

869 views • 45 slides
Course Summary & Review CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Course Summary & Review CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Course Summary & Review CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ May 2, 2013 Know Your TA Mobin Javed

992 views • 86 slides
1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout

673 views • 34 slides
Countering Terrorism through Information and Privacy Protection Technologies Robert Popp, John

Countering Terrorism through Information and Privacy Protection Technologies Robert Popp, John

Terrorism Information Technology Privacy Countering Terrorism through Information and Privacy Protection Technologies Robert Popp, John Poindexter IEEE Security & Privacy, vol. 4, no. 6, Nov.-Dec. 2006 1 / 10 Terrorism Information

376 views • 14 slides
R EVOLUTION & P OLITICAL V IOLENCE Is violence random? Mapiripn massacre in Colombia

R EVOLUTION & P OLITICAL V IOLENCE Is violence random? Mapiripn massacre in Colombia

Poli-416: R EVOLUTION & P OLITICAL V IOLENCE Is violence random? Mapiripn massacre in Colombia Is violence random? Public discourse on violence as chaotic or random Rwandan genocide Logic of Violence in Civil Wars Why

870 views • 32 slides
Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular

Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular

Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular networks Security and Cooperation in Wireless Networks Georg-August University Gttingen Introduction Upcoming wireless networks: Personal

904 views • 42 slides
Debugging From Theoretical/Concept Considerations to Weapons for Efficient Coding Carlos J.

Debugging From Theoretical/Concept Considerations to Weapons for Efficient Coding Carlos J.

Debugging From Theoretical/Concept Considerations to Weapons for Efficient Coding Carlos J. Barrios H. PhD. cbarrios@uis.edu.co Sources of This Presentation: Guest lecture DR. R o b e r t O a t e s Icos R esearch Group University o f

1.14k views • 67 slides
Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Zero-Knowledge Zero-Knowledge Two-Party Protocols Two-Party Protocols Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Introduction to Zero-Knowledge Third Lecture:

473 views • 31 slides
Energy Networks Association Open Networks Project Advisory Group 5 th September 2019 General

Energy Networks Association Open Networks Project Advisory Group 5 th September 2019 General

Energy Networks Association Open Networks Project Advisory Group 5 th September 2019 General Housekeeping Amenities Both male and female toilets can be found in the corridor. Emergency Exit Fire escape door is located in the

686 views • 46 slides

More recommend