sandboxing and isolation
play

Sandboxing and isolation Deian Stefan Today Lecture objectives: - PowerPoint PPT Presentation

Apr 11, 2024 •442 likes •1.1k views

CSE 127: Computer Security Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles for building secure systems Understand mechanisms used to build secure systems Principles of secure design

  1. CSE 127: Computer Security Sandboxing and isolation Deian Stefan

  2. Today Lecture objectives: • Understand basic principles for building secure systems • Understand mechanisms used to build secure systems

  3. Principles of secure design • Least privilege • Privilege separation • Complete mediation • Defense in depth • Fail safe/closed • Keep it simple

  4. Some photos from Smith’s A Contemporary Look at Saltzer and Schroeder’s 1975 Design Principles and Wikipedia (e.g., https://en.wikipedia.org/wiki/Beaumaris_Castle)

  5. The privilege separation recipe: • Break system into compartments • Ensure each compartment is isolated • Ensure each compartment runs with least privilege • Treat compartment interface as trust boundary

  6. How do break things up? Depends on the attacker model & isolation mechanism

  7. What isolation mechanisms can we use? • Hardware-based isolation: ➤ Physical machine, CPU modes (e.g., rings), virtual memory (MMU), memory protection unit (MPU), trusted execution environments, … • Software-based isolation: ➤ Language virtual machines (e.g., JavaScript), 
 software-based fault isolation (e.g., WebAssembly), 
 binary instrumentation, type systems, …

  8. What isolation mechanisms can we use? • Hardware-based isolation: ➤ Physical machine, CPU modes (e.g., rings), virtual memory (MMU), memory protection unit (MPU), trusted execution environments, … • Software-based isolation: ➤ Language virtual machines (e.g., JavaScript), 
 software-based fault isolation (e.g., WebAssembly), 
 binary instrumentation, type systems, …

  9. Example: Multi-user OS • In this system: ➤ Users can execute programs (process) ➤ Processes can access resources/assets • What’s the threat model? ➤

  10. What do we want? • Memory isolation ➤ Process should not be able to access another’s memory • Resource isolation ➤ Process should only be able to access certain resources

  11. What do we want? • Memory isolation ➤ Process should not be able to access another’s memory • Resource isolation ➤ Process should only be able to access certain resources

  12. UNIX permission model • Permissions granted according to UID ➤ A process may access files, network sockets, …. ➤ root (UID 0) can access everything • Each file has access control list (ACL) ➤ Grants permissions to users according to UIDs and roles (owner, group, other) ➤ Everything is a file!

  13. How does passwd work then?

  14. There is more than one UID…

  15. Process UIDs • Real user ID (RUID) ➤ Used to determine which user started the process ➤ Typically same as the user ID of parent process • Effective user ID (EUID) ➤ Determines the permissions for process ➤ Can be different from RUID (e.g., because setuid bit on the file being executed) • Saved user ID (SUID)

  16. setuid demystified (a bit) • A program can have a setiud bit set in its permissions • This impacts: fork and exec ➤ Typically inherit three IDs of parent ➤ If setuid bit set: use UID of file owner as EUID

  17. -rwsr-xr-x 1 root root 55440 Jul 28 2018 /usr/bin/passwd

  18. setuid demystified (a bit) • There are actually three bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EG roup ID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  19. drwxrwxrwt 16 root root 700 Feb 6 17:38 /tmp/

  20. What do we want? • Memory isolation ➤ Process should not be able to access another’s memory • Resource isolation ➤ Process should only be able to access certain resources

  21. Process memory isolation • How are individual processes memory- isolated from each other? ➤ Each process gets its own virtual address space, managed by the operating system • Memory addresses used by processes are virtual addresses (VAs) not physical addresses (PAs) ➤ When and how do we do the translation? https://en.wikipedia.org/wiki/Virtual_memory#/media/File:Virtual_memory.svg

  22. When do we do the translation? • Every memory access goes through address translation (complete mediation) ➤ Load, store, instruction fetch • Who does the translation?

  23. When do we do the translation? • Every memory access goes through address translation (complete mediation) ➤ Load, store, instruction fetch • Who does the translation? ➤ The CPU’s memory management unit (MMU)

  24. How does the MMU translate VAs to PAs? • Using 64-bit ARM architecture as an example… • How do we translate arbitrary 64bit addresses? ➤ We can’t map at the individual address granularity! ➤ 64 bits * 2 64 (128 exabytes) to store any possible mapping

  25. Address translation (closer) 00…00 FF…FF … … … … … • Page: basic unit of translation ➤ Usually 4KB = 2 12 • How many page mappings? ➤ Still too big! ➤ 52 bits * 2 52 (208 petabytes)

  26. So what do we actually do? 00…00 FF…FF … … … … … 00 01 FF 00 01 FF 00 01 FF Multi-level page tables 00 01 FF 00 01 FF ➤ Sparse tree of page mappings 00 01 FF 00 01 FF ➤ Use VA as path through tree 00 01 FF ➤ Leaf nodes store PAs ➤ Root is kept in register so MMU can walk the tree

  27. How do we get isolation between processes? • Each process gets its own tree ➤ Tree is created by the OS ➤ Tree is used by the MMU when doing translation ➤ This is called “page table walking” ➤ When you context switch: OS needs to change root

  28. 
 Example of page table walk In reality, the full 64bit address space is not used. ➤ Working assumption: 48bit addresses Table[Page] address Byte index 47 11

  29. Page table walk 4KB … 64 bits 512 (2 9 ) entries … … Invalid Descriptor … … Table Descriptor address of next-level table Page Descriptor address of page … … … Translation Table Base Register 63..48 11..0 47 11

  30. Page table walk 4KB … 64 bits 512 (2 9 ) entries … … Invalid Descriptor … … Table Descriptor address of next-level table Page Descriptor address of page … … … Level 0 Translation Table Base Register 9 63..48 47..39 11..0 47 11

  31. Page table walk 4KB … 64 bits 512 (2 9 ) entries … … Invalid Descriptor … … Table Descriptor address of next-level table Page Descriptor address of page … … Level 1 … Level 0 Translation Table Base Register 9 9 63..48 47..39 38..30 11..0 47 11

  32. Page table walk 4KB … 64 bits 512 (2 9 ) entries … … Invalid Descriptor … … Level 2 Table Descriptor address of next-level table Page Descriptor address of page … … Level 1 … Level 0 Translation Table Base Register 9 9 9 63..48 47..39 38..30 29..21 11..0 47 11

  33. Page table walk 4KB … 64 bits 512 (2 9 ) entries Level 3 … … Invalid Descriptor … … Level 2 Table Descriptor address of next-level table Page Descriptor address of page … … Level 1 … Level 0 Translation Table Base Register 9 9 9 9 63..48 47..39 38..30 29..21 20..12 11..0 47 11

  34. Make it fast: Translation Lookaside Buffer

  35. Make it fast: Translation Lookaside Buffer • Small cache of recently translated addresses ➤ Before translating a referenced address, the processor checks the TLB • What does the TLB give us?

  36. Make it fast: Translation Lookaside Buffer • Small cache of recently translated addresses ➤ Before translating a referenced address, the processor checks the TLB • What does the TLB give us? ➤ Physical page corresponding to virtual page 
 (or that page isn’t present)

  37. Make it fast: Translation Lookaside Buffer • Small cache of recently translated addresses ➤ Before translating a referenced address, the processor checks the TLB • What does the TLB give us? ➤ Physical page corresponding to virtual page 
 (or that page isn’t present) ➤ Access control: if mapping allows the mode of access

  38. Access control • Not everything within a processes’ virtual address space is equally accessible • Page descriptors contain additional access control information ➤ Read, Write, eXecute permissions ➤ Who sets these bits? (The OS!)

  39. What should we do about TLB on context switch?

  40. What should we do about TLB on context switch? • Can flush the TLB (was most popular) • If HW has process-context identifiers (PCID), don’t need to flush: entries in TLB are partitioned by PCID

  41. What do we want? • Memory isolation ➤ Process should not be able to access another’s memory • Resource isolation ➤ Process should only be able to access certain resources

  42. Process isolation and virtual memory are powerful abstractions… where else are they used?

  43. Process isolation and virtual memory are powerful abstractions… where else are they used?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz http://www.batchgeo.com Remote Sandboxing? Students' interpreters g r a d e . r k t 1 6 0 0 t i m e s ? Students' interpreters g r a d e

446 views • 15 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides
#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days will be reimbursed Self isolation notes from online 111 Self isolation and pay Working from Home Everyone should be working

398 views • 12 slides
Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor Josie Tetley Dr Emma-Reetta Koivunen Ageing and Long Term Conditions Group Faculty of Health, Psychology & Social Care Manchester

338 views • 19 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W HEN F EELINGS OF I SOLATION B ECOME A R OADBLOCK Joe & Cindi Ferrini Joeferrini.com Cindiferrini.com W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND TOWARD ISOLATION PULLING AWAY FROM :

723 views • 18 slides
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 /

Landlock LSM: toward unprivileged sandboxing Micka el Sala un ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize

789 views • 61 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Stanford CS193p Developing Applications for iOS Fall 2011 Stanford CS193p Fall 2011 Today

Stanford CS193p Developing Applications for iOS Fall 2011 Stanford CS193p Fall 2011 Today

Stanford CS193p Developing Applications for iOS Fall 2011 Stanford CS193p Fall 2011 Today NSTimer and perform after delay Two delayed-action alternatives. More View Animation Continuation of Kitchen Sink demo Alerts and Action Sheets

581 views • 32 slides
Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time

Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #10 Updated 2009-02-15 Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time system Logical function What should be done &

500 views • 8 slides
3/15/2010 Module 3 Lesson Title Approximate Developing Timing Plans for Efficient Intersection

3/15/2010 Module 3 Lesson Title Approximate Developing Timing Plans for Efficient Intersection

3/15/2010 Module 3 Lesson Title Approximate Developing Timing Plans for Efficient Intersection Time (minutes) Operations During Moderate Traffic Volume 1 Determining the effect of minor street 30 Vehicle Extension time on intersection

502 views • 10 slides
Initial presentation Physical Exam Vasc: DP, PT non- palpable bilaterally. DP, PT monophasic

Initial presentation Physical Exam Vasc: DP, PT non- palpable bilaterally. DP, PT monophasic

4/8/19 HPI: 73 yo F with COPD with worsening foot ischemia to the L toes x 3 months. Illnesses: COPD, AAA, PAD Medications: momentasone Allergies: NKDA Hospitalizations: None Operations: Hysterectomy Lives alone Former smoker, 1 PPD x 40

174 views • 16 slides
Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Web 2 . 0 and the Isolation Problem Case Study : FBJS Formal Semantics of JavaScript Achieving the Isolation goal Ongoing Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford University Joint work

650 views • 46 slides
Efficient Dynamic Isolation of Congestion in Lossless DataCenter Networks Luis Gonzalez-Naharro

Efficient Dynamic Isolation of Congestion in Lossless DataCenter Networks Luis Gonzalez-Naharro

Efficient Dynamic Isolation of Congestion in Lossless DataCenter Networks Luis Gonzalez-Naharro * , Jesus Escudero-Sahuquillo * , Pedro J. Garcia * , Francisco J. Quiles * , Jose Duato , Wenhao Sun , Li Shen , Xiang Yu , and Hewen

602 views • 21 slides
CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software Security Allow inteded use of software, prevent unintended use that may cause harm. Mathias Payer CS527

470 views • 25 slides
Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security It s about risk, locks, and deterrence . Risk management: cost of security < expected loss Perfect security costs way too much

707 views • 26 slides

More recommend