Application Sandboxing

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

naive methods

- bypass the java sandbox - libraries that you can write in compiled languages such as c that interact with the OS directly

regular expression pattern matching

- enforces the defined policies (eg. filename pattern)

challenge with Janus (file)

- if a file fails to open it should not be opened - tricky when file descriptors are duplicated because not sure whether it is valid or not - sending file descriptors over sockets - TOCTTOU (time of check to time of use) attack

inner sandbox

- isolate memory regions among apps so that even if multiple apps run in the same process space their memory is still isolated -Uses static analysis to detect security defects in code -disallow self-modifying code

Seccomp-BPF

- sandboxing framework available on linux - allows the user to attach a system call filter to a process and all of the descendants of that process

downside of seccomp

- the use of BPF -policies are compiled into bpf instructions before they are loaded into the kernel - these rules are reference by numbers so you have to check them to make sure they align - once past that you have to apply principle of least privilege properly

Janus (user level validation) steps

- this module initializes itself by setting up hooks to redirect system call requests to itself - whenever a sandboxed app makes a system call the call is redirected by the hook in the kernel to the janus kernel module - the module blocks the thread and signals the user level janus process that a system call has been requested - uses policy decision and policy engine

how seccomp bpf works

-seccomp sends packets that represent system calls to bpf interpreter. -the filter allows user to define rules that are applied to these system calls - these rules enable the inspection of each system call and its arguments and take subsequent action ( like is the call allowed to run or not )

4 types of application sandboxes

1. user level validation 2. os support 3. browser based application sandboxing 4. the java sandbox

BPD (Berkley packet filter)

a framework that was initially created for network socket filtering. - with socket filtering a user can create a filter to allow or disallow certain types of data to come through a socket

hook

a mechanism that redirects and API request somewhere else and allows it to return back for normal processing

rule based policies

define precisely what system calls and application can invoke - down to the parameters of the system calls of interest - solves the issue of users ability to run apps but restricts what those apps do on a per app basis

policies

define which system calls are permissible to the application in what way they can be used

policy file

defines the allowable files and network operations for each sandbox application

protection domain

defines what actions are safe and which are not

NaCl (chromiumum native client) browser plug in

designed to allow safe execution of untrusted native code within a browser - is a user level sandbox and works by restricting the type of code it can sandbox - code is also linked with special nacl libraries that provide access to system services

class loader

determines if an object is allowed to add classes • Ensures key parts of the runtime environment are not overwritten • Runtime data areas (stacks, bytecodes, heap) are randomly laid out

security manager

enforces protection domain • Defines the boundaries of the sandbox (file, net, native, etc. access) • Consulted before any access to a resource is allowed - called at the time an application makes a call to a specific method so it can provide run time verification - can result in a security exception being thrown

challenge with plug in architecture

how to keep the software in a plug in from doing bad things

how hooking works in terms of a sandbox

it will intercept a system call, inspect its parameters, and decide whether to allow the system call to take place or return an error

hooking (system call interposition)

process of intercepting an app's system calls and performing addition operations - if we don't have the ability to recompile and app or force it to use other libraries we rely on this to construct a sandbox

sandbox

provide a controlled and restricted environment for code execution - program can run with minimal risk of causing widespread damage to the system - can be used to observe how software behaves / identify presence of malware

policy engine

receives system call notifications and decides whether to allow or disallow the system call - if so it is directed back to the operating system

biggest challenge with Janus (system calls)

the user level monitor must mirror the state of the operating system - it needs to keep track of the network operations but also the right order (fork, fork) - janus does not have the knowledge if a system call should pass or not so if its in the wrong order it wont know - if this happens then may enable attack vectors like sending data on an unconnected block

outer sandbox

uses system call interposition to restrict the capabilities of apps at the system call level - done at user level via libraries and not hooking

bytecode verifier

verifies java bytecode before it is executed • Disallow pointer arithmetic • Automatic garbage collection • Array bounds checking • Null reference checking

how applications interact

via system calls to the operating system

plug-in architecture

where modules could be loaded into the browser to extend its capabilities (ex: adobe flash, java)


Ensembles d'études connexes

Anatomy and Physiology Chapter 5

View Set

HUN 2201 BASIC PRINCIPLES OF HUMAN NUTRITION

View Set

Florida Statutes, Rules, and Regulations

View Set