secmodel sandbox
play

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig - PowerPoint PPT Presentation

Dec 09, 2023 •508 likes •1.09k views

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

  1. secmodel_sandbox An application sandbox for NetBSD Stephen Herwig

  2. sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to reduce the attack surface in the event of an unforeseen vulnerability

  3. many os-level implementations - systrace - SELinux - AppArmor - seccomp(-bpf) - Apple’s Sandbox (formerly Seatbelt) - Capsicum - OpenBSD’s pledge syscall Rich design space: - which use cases are supported? - footprint (system-wide or process-wide) - are policies embedded in program or external? - when are policies loaded? - expressiveness of policies? - portability

  4. secmodel_sandbox high-level design - Implemented as a kernel module - Sandbox policies are Lua scripts - A process sets the policy script via an ioctl - The kernel evaluates the script using NetBSD’s experimental in-kernel Lua interpreter - The output of the evaluation are rules that are attached to the process’s credential and checked during privileged authorization requests

  5. secmodel_sandbox properties - Sandboxes are inherited during fork and preserved over exec - Processes may apply multiple policies: the sandbox is the union of all policies - Policies can only further restrict privileges - Rules may be boolean or Lua functions (functional rules) - Functional rules may be stateful and may dynamically create new rules or modify existing rules

  6. secmodel_sandbox properties - Sandboxes are inherited during fork and preserved over exec - Processes may apply multiple policies: the sandbox is the union of all policies - Policies can only further restrict privileges - Rules may be boolean or Lua functions (functional rules) - Functional rules may be stateful and may dynamically create new rules or modify existing rules

  7. sandbox policies: blacklist Policy Program sandbox.default(‘allow’); main() { -- no forking /* initialize */ sandbox.deny(‘system.fork’) . . . -- no networking sandbox(POLICY); sandbox.deny(‘network’) /* process loop */ -- no writing to files . . . sandbox.deny(‘vnode.write_data’) sandbox.deny(‘vnode.append_data’) return (0); } -- no changing file metadata sandbox.deny(‘vnode.write_times’) sandbox.deny(‘vnode.change_ownership’) sandbox.deny(‘vnode.write_security’)

  8. sandbox policies: functional rules sandbox.default(‘deny’) -- allow reading files sandbox.allow(‘vnode.read_data’) -- only allow writes in /tmp sandbox.on(‘vnode.write_data’, function(req, cred, f) if string.find(f.name, ‘/tmp/’) == 1 then return true else return false end end) -- only allow unix domain sockets sandbox.on(‘network.socket.open’, function(req, cred, domain, typ, proto) if domain == sandbox.AF_UNIX then return true else return false end end)

  9. sandbox-exec int main(int argc, char *argv[]) { sandbox_from_file(argv[0]); execv(argv[1], &argv[1]); return (0); } $ sandbox-exec no-network.lua /usr/pkg/bin/bash $ wget http://www.cs.umd.edu/ wget: unable to resolve host address ‘www.cs.umd.edu'

  10. kauth - kernel subsystem that handles all authorization requests within the kernel - clean room implementation of subsystem in macOS - separates security policy from mechanism

  11. kauth requests request := (scope, action [, subaction]) process machdep system vnode device network Scope tty_open rlimit cacheflush socket fork mount read_data Action bind Subaction set get open rawsock port privport update unmount

  12. kauth requests request := (scope, action [, subaction]) Example: creating a socket => (network, socket, open) process machdep system vnode network device Scope socket tty_open rlimit cacheflush fork mount read_data Action bind Subaction set get open rawsock port privport update unmount

  13. kauth request to syscall mapping Some kauth requests map directly to a syscall: system.mknod => mknod Some kauth requests map to multiple syscalls: process.setsid => {setgroups setlogin setuid setuid setreuid setgid setegid setregid} Some syscalls trigger one of several kauth requests, depending on the syscall arguments: mount(MNT_GETARGS) => system.mount.get mount(MNT_UPDATE) => system.mount.update Many syscalls do not trigger a kauth request at all: accept close dup execve flock getdents getlogin getpeername getpid getrlimit getsockname . . .

  14. kauth request flow kauth uses an observer pattern. syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  15. kauth request flow Subsystems interested in kauth requests register with kauth via kauth_listen_scope() . syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  16. kauth request flow Most syscalls issue an authorization request in their corresponding handler via kauth_authorize_action() . syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  17. kauth request flow kauth_authorize_action() iterates through each listener for the given scope, calling that listener’s callback. syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  18. kauth request flow Generally, if any listener returns DENY, the request is denied; if any returns ALLOW and none returns DENY, the request is allowed; otherwise, the request is denied. syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  19. secmodel A security model (secmodel) is a small framework for managing a set of related kauth listeners. Fundamentally, it presents a template pattern: static kauth_listener_t l_system, l_network, . . .; void secmodel_foo_start(void) { l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, secmodel_foo_system_cb, NULL); l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, secmodel_foo_network_cb, NULL); . . . } void secmodel_foo_stop(void) { kauth_unlisten_scope(l_system); kauth_unlisten_scope(l_network); . . . }

  20. secmodel_sandbox design The sandbox module registers listeners for all kauth scopes. application libsandbox sandbox(script) /dev/sandbox user space kernel space proc secmodel_sandbox module cred kauth_listen_scope(KAUTH_SCOPE_NETWORK) uid kauth_listen_scope(KAUTH_SCOPE_SYSTEM) groups . . . specificdata

  21. secmodel_sandbox design Applications link to libsandbox. Calls to sandbox() issue an ioctl to /dev/sandbox , specifying the policy script. application ioctl(script) libsandbox sandbox(script) /dev/sandbox user space kernel space proc secmodel_sandbox module cred uid groups specificdata

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

1.15k views • 79 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility & Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

417 views • 40 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2. Confirm that your

540 views • 36 slides
Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on& &&&&&&&&&&&&&&&&Timothy&Vidas,&Nicolas&Chris?n&

526 views • 28 slides
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

646 views • 52 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
Faster Safer Compliant Management of your NetSuite Account Home Introduction 1. Management

Faster Safer Compliant Management of your NetSuite Account Home Introduction 1. Management

Faster Safer Compliant Management of your NetSuite Account Home Introduction 1. Management Policies and Procedures 2. Documentation ERD and Customization Record 3. Change Management 4. Impact Analysis 5. Change Tracking 6.

546 views • 41 slides
Scripting A script is a program written in an interpreted language. Used to automate repetetive

Scripting A script is a program written in an interpreted language. Used to automate repetetive

Scripting A script is a program written in an interpreted language. Used to automate repetetive tasks. A file containing a series of commands. How to Start with a plaintext file (vi, emacs, etc) the first line should be: #!/bin/bash this

154 views • 3 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Computer Systems and Architecture UNIX Scripting Ruben Van den Bossche Original slides by Bart

Computer Systems and Architecture UNIX Scripting Ruben Van den Bossche Original slides by Bart

Computer Systems and Architecture UNIX Scripting Ruben Van den Bossche Original slides by Bart Sas University of Antwerp 1 / 33 Outline Basics Conditionals Loops Advanced Exercises 2 / 33 Outline Basics Conditionals Loops Advanced

484 views • 33 slides
To show some of the basic components of shell scripting, we are going to take a common task,

To show some of the basic components of shell scripting, we are going to take a common task,

To show some of the basic components of shell scripting, we are going to take a common task, creating a new user, and design a script to help automate this process. Original Script Display commands to manually creating an account #!/bin/bash #

255 views • 13 slides
!"##"$%&'(&)*'+,-&#.*",-/,0 ' @;#/?*. ' A' !"#$%&

!"##"$%&'(&)*'+,-&#.*",-/,0 ' @;#/?*. ' A' !"#$%&

!"##"$%&'(&)*'+,-&#.*",-/,0 ' @;#/?*. ' A' !"#$%& '/.'"'.*&#&4*=?/;"5'.&BC&,;&'4D'&%&,*.'"..4;/"*&-'

583 views • 9 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

428 views • 14 slides
CORS & WEBSOCKETS Dealin g wit h Sam e -Origi n Polic y application lives on llama.com

CORS & WEBSOCKETS Dealin g wit h Sam e -Origi n Polic y application lives on llama.com

CS 498RK SPRING 2020 CORS & WEBSOCKETS Dealin g wit h Sam e -Origi n Polic y application lives on llama.com and you want to pull data from www.alpaca.com var xhr = new XMLHttpRequest(); xhr.open('GET',

773 views • 41 slides

More recommend