practical and effective sandboxing for non root users
play

Practical and Effective Sandboxing for Non-root users Taesoo Kim - PowerPoint PPT Presentation

Aug 29, 2022 •35 likes •515 views

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

  1. Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL

  2. Why yet another sandbox for desktop applications? ● There are many existing sandbox mechanisms – Chroot / Lxc (Unix/Linux) – Jail (Freebsd) – Seatbelt (Mac OS X) – VM? ... ● Difficult-to-use, requiring root privilege, or slow! 2

  3. TL;DR Our tool Unknown binary downloaded from the $ mbox -- ./downloaded-bin Internet ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 3

  4. TL;DR $ mbox -- ./downloaded-bin ... Network Summary: Where to connect? > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 4

  5. TL;DR $ mbox -- ./downloaded-bin ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Protecting the host filesystem Sandbox Root: from modification > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 5

  6. TL;DR $ mbox -- ./downloaded-bin ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> Revision-control-system like interface 6

  7. TL;DR Without root privilege! $ mbox -- ./downloaded-bin ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 7

  8. Design overview ● Layered sandbox filesystem – Overlaying the host filesystem – Confining modification made by sandboxed processes – Persistent storage: in fact, just a regular directory ● System call interposition – Commodity OSes provide one for non-root users – Enabling a variety of applications: installing pkgs, restricting network, build/dev. env ... 8

  9. Design overview ● Layered sandbox filesystem – Overlaying the host filesystem – Confining modification made by sandboxed processes – Persistent storage: in fact, just a regular directory ● System call interposition – Commodity OSes provide one for non-root users – Enabling a variety of applications: installing pkgs, restricting network, build/dev. env ... 9

  10. Installing packages as normal user $ mbox -R -- apt-get install git (-R: emulate a fakeroot environment) ● Mbox provides a writable sandbox layer on top of the host filesystem – User owns the sandbox directory – Contain newly installed files, and package databases ● Mbox emulates a fakeroot environment – Use standard package managers without modification – Support: apt-get (Ubuntu), dpkg (Debian), pip (Python) 10

  11. Running unknown binary safely $ mbox -n -- ./downloaded-bin (-n: disable remote network accesses) ● Mbox protects the host filesystem from modifications ● Mbox restricts or monitors network accesses – Interpret socket-like system calls – Summarize network activity when terminated 11

  12. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Host Filesystem ~/.emacs 12

  13. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Sandbox Edit .emacs Read Write Sandbox FS ~/.emacs Host Filesystem ~/.emacs 13

  14. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Sandbox Edit .emacs Read Write Read Sandbox FS ~/.emacs Host Filesystem ~/.emacs 14

  15. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Sandbox Edit .emacs Read Write Read Sandbox FS ~/.emacs Commit Host Filesystem ~/.emacs 15

  16. Build/development environment $ tree linux-git ... Sandbox FS +--mm--mmap.c *.o +-mlock.c Host Filesystem linux-git $ mbox -r outdir -- make (-r dir: specify a sandbox directory) ● Mbox can separate out the generated obj files – make clean == rm -rf outdir ● Mbox can also be used for virtual dev. env. – Install packages with standard package managers 16

  17. Outline ● Motivation / use cases ● Layered sandbox filesystem ● System call interposition (using seccomp/BPF) ● Implementation / evaluation ● Related work ● Summary 17

  18. Sandbox filesystem supports copy-on-write Sandboxed process Sandbox filesystem Host .emacs filesystem 18

  19. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, R) Read Sandbox filesystem Host .emacs filesystem 19

  20. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, RW) Sandbox filesystem Host .emacs filesystem 20

  21. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, RW) Sandbox filesystem .emacs Copy Host .emacs filesystem 21

  22. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, RW) Read/Write Sandbox filesystem .emacs Copy Host .emacs filesystem 22

  23. Copy-on-write by rewriting path arguments Sandboxed process open(“.emacs”, RW) Read/Write Sandbox /tmp/sbox/ filesystem .emacs Copy Host .emacs filesystem 23

  24. Copy-on-write by rewriting path arguments /tmp/sbox/home/taesoo/.emacs Sandboxed process open(“.emacs”, RW) Read/Write Sandbox /tmp/sbox/ filesystem .emacs Copy Host .emacs filesystem 24

  25. All subsequent read/write should happen on the sandbox filesystem Sandboxed process open(“.emacs”, RW) ... open(“.emacs”, R) Read Sandbox filesystem .emacs Host .emacs filesystem 25

  26. All subsequent read/write should happen on the sandbox filesystem /tmp/sbox/home/taesoo/.emacs Sandboxed process open(“.emacs”, RW) ... open(“.emacs”, R) Read Sandbox /tmp/sbox/ filesystem .emacs Host .emacs filesystem 26

  27. Sandbox filesystem keeps track of deleted files Sandboxed process unlink(“.emacs”) ... Mbox Hashmap of deleted files .emacs Sandbox ... filesystem Host .emacs filesystem 27

  28. Sandbox filesystem keeps track of deleted files /tmp/sbox/home/taesoo/.emacs Sandboxed process unlink(“.emacs”) ... open(“.emacs”, R) Mbox Hashmap of Read deleted files .emacs Sandbox /tmp/sbox/ ... deleted filesystem .emacs Host .emacs filesystem 28

  29. Mbox doesn't have to interpose on every system call fd = open(“.emacs”, R) fd = open(“.emacs”, RW) read(fd, buf, size) write(fd, buf, size) ● After redirecting the path in open(), we don't have to interpose on read/write() system calls ● Mbox needs to interpose on 48 system calls getting a path argument to provide a layered sandbox filesystem 29

  30. Mechanism: system call interposition ● Ptrace is a common technique, but slow – Interpose entry/exit of every system call – Serialize system calls of child processes ● Using seccomp/BPF (>= Linux 3.5) – Seccomp is a security mechanism for isolating a process by allowing a certain set of system calls – Seccomp/BPF uses BPF (Berkeley Packet Filter) to specify rules for filtering system calls 30

  31. BPF program for interposition Mbox User space Kernel 31

  32. BPF program for interposition Mbox User space prctl() ① Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 32

  33. BPF program for interposition Mbox User space prctl() ① Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 33

  34. BPF program for interposition Sandboxed process Mbox exec() ② User space prctl() ① Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 34

  35. BPF program for interposition Sandboxed process Mbox exec() ② User space prctl() open(“/a", RW) ① ③ Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 35

  36. BPF program for interposition Sandboxed process Mbox exec() ② wait() User space prctl() open(“/a", RW) ① ③ Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) EVENT_SECCOMP ④ BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 36

  37. BPF program for interposition ptrace (PEEK/POKE) ⑤ “/a” “/tmp/sbox/a” → Sandboxed process Mbox exec() ② wait() User space prctl() open(“/a", RW) ① ③ Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) EVENT_SECCOMP ④ BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 37

  38. More story to come ... ● How to avoid time-of-check-to-time-of-use? ● How to avoid replicating OS state? ● ... Please, check the paper! 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com $ ps -eo pid,user,comm 1 root /sbin/init 2 root [kthreadd] ... 1468 message+ dbus-daemon --system --fork 1749 root

725 views • 38 slides
secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia Zsigmond (Wigner RCP) zsigmond.anna@wigner.mta.hu This tutorial Introductory presentation What is ROOT? (ROOT 6 series) Basic functionalities

822 views • 61 slides
ROOT and C++11 ROOT Users Workshop 2013 Benjamin Bannier Stony Brook University March 13, 2013

ROOT and C++11 ROOT Users Workshop 2013 Benjamin Bannier Stony Brook University March 13, 2013

ROOT and C++11 ROOT Users Workshop 2013 Benjamin Bannier Stony Brook University March 13, 2013 1 / 33 About me and Disclaimers Hi, I am Benjamin Bannier. graduate student at Stony Brook University Experimental Heavy Ion Physics with

648 views • 33 slides
Effective Communications and Practical Accommodations for Persons with Disabilities DECEMBER 3,

Effective Communications and Practical Accommodations for Persons with Disabilities DECEMBER 3,

Effective Communications and Practical Accommodations for Persons with Disabilities DECEMBER 3, 2015 Beyond the Bench ANAHEIM, CALIFORNIA ABOUT THE PRESENTER Linda McCulloh Effective Communications and Practical Accommodations for Persons

476 views • 28 slides
The SHiP perspective on root Oliver Lantwin on behalf of SHiP. [ oliver.lantwin@cern.ch ] root

The SHiP perspective on root Oliver Lantwin on behalf of SHiP. [ oliver.lantwin@cern.ch ] root

The SHiP perspective on root Oliver Lantwin on behalf of SHiP. [ oliver.lantwin@cern.ch ] root Users Workshop, Sarajevo 2018-09-13 What is SHiP? Future experiment designed to look for super-weakly interacting new particles at the intensity

313 views • 20 slides
Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan 2 , M. Pouget 3 , C. Yap 1 1 Courant Institute of Mathematical Sciences, New York University, USA 2 Lehman College, City University of New York, USA

1.27k views • 100 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John,

Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John,

Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

616 views • 59 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz http://www.batchgeo.com Remote Sandboxing? Students' interpreters g r a d e . r k t 1 6 0 0 t i m e s ? Students' interpreters g r a d e

446 views • 15 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code

Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code

Introduction Background Analysis infrastructure Evaluation Policy generation Limitations Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy Vitor Monte Afonso 1 , Antonio Bianchi 2

524 views • 34 slides
A Cost-Effective and Practical Remedial Alternative Paul R. Lear, Ph.D. Manufactured Gas

A Cost-Effective and Practical Remedial Alternative Paul R. Lear, Ph.D. Manufactured Gas

In-situ Stabilization at MGP Sites A Cost-Effective and Practical Remedial Alternative Paul R. Lear, Ph.D. Manufactured Gas Plants Starting in late 1900s, gas was manufactured by heating coal in specialized oven Common in many

495 views • 30 slides
1 Scale space representation Scale space representation Keypoint detection Keypoint detection

1 Scale space representation Scale space representation Keypoint detection Keypoint detection

Introduction Introduction Distinctive Image Features from Distinctive Image Features from Scale Scale- -Invariant Invariant Keypoints Keypoints Invariance Invariance Intensity Intensity Scale Scale David G. Lowe

394 views • 5 slides
Programming Exercise 2: Logistic Regression Machine Learning October 26, 2011 Introduction In

Programming Exercise 2: Logistic Regression Machine Learning October 26, 2011 Introduction In

Programming Exercise 2: Logistic Regression Machine Learning October 26, 2011 Introduction In this exercise, you will implement logistic regression and apply it to two different datasets. Before starting on the programming exercise, we strongly

350 views • 13 slides
Rhythm John Sizemore (Team Leader) Cristopher Stauffer Yuankai Huo Lauren Stephanian

Rhythm John Sizemore (Team Leader) Cristopher Stauffer Yuankai Huo Lauren Stephanian

Rhythm John Sizemore (Team Leader) Cristopher Stauffer Yuankai Huo Lauren Stephanian Introduction Rhythm is a music composition language Programmers create chronological tracks out of notes, rests, and chords Tracks can be

569 views • 22 slides
Truss Decomposition on Shared-Memory Parallel Systems Shaden Smith 1 , 2 , Xing Liu 2 , Nesreen K.

Truss Decomposition on Shared-Memory Parallel Systems Shaden Smith 1 , 2 , Xing Liu 2 , Nesreen K.

Truss Decomposition on Shared-Memory Parallel Systems Shaden Smith 1 , 2 , Xing Liu 2 , Nesreen K. Ahmed 2 , Ancy Sarah Tom 1 , Fabrizio Petrini 2 , and George Karypis 1 1 Department of Computer Science & Engineering, University of Minnesota 2

379 views • 21 slides
1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by

1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by

1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by University of Pittsburgh Provosts Office, SCI n n Dinner on your own n WiFi Wyndham Pittsburgh <v93j3q> n Need help? n Kelly Shaffer,

1.09k views • 94 slides
3rd Party Risk Review Process June 15, 2018 Computing Services and Systems Development Agenda

3rd Party Risk Review Process June 15, 2018 Computing Services and Systems Development Agenda

Computing Services and Systems Development 3rd Party Risk Review Process June 15, 2018 Computing Services and Systems Development Agenda Use of third party vendors Need to assess risk Assessment methodologies Challenges

298 views • 16 slides
LinSim Linear Accelerator Simulation Framework with PLACET and GUINEA-PIG Jochem Snuverink (JAI,

LinSim Linear Accelerator Simulation Framework with PLACET and GUINEA-PIG Jochem Snuverink (JAI,

LinSim Linear Accelerator Simulation Framework with PLACET and GUINEA-PIG Jochem Snuverink (JAI, Royal Holloway) Jrgen Pfingstner (CERN) 8 th of October 2014 J. Snuverink and J. Pfingstner LinSim Content 1. Introduction 2. LinSim 3.

325 views • 20 slides
Advanced Higher Literacy What do you need to know? Identifying/inserting chords to cadence points

Advanced Higher Literacy What do you need to know? Identifying/inserting chords to cadence points

Advanced Higher Literacy What do you need to know? Identifying/inserting chords to cadence points under Augmented triad melodies Enharmonic equivalent rewriting at same pitch Diminished 7 th Scales and key signatures up to 2 accidentals

1.03k views • 72 slides

More recommend