1 / 22

Sandboxing Mobile Code Execution Environments

Sandboxing Mobile Code Execution Environments. www.rstcorp.com. Anup K. Ghosh, Ph.D. anup.ghosh@computer.org. DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ. The Problem We are Addressing: Untrusted Code.

carrington
Télécharger la présentation

Sandboxing Mobile Code Execution Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sandboxing Mobile Code Execution Environments www.rstcorp.com Anup K. Ghosh, Ph.D. anup.ghosh@computer.org DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ

  2. The Problem We are Addressing: Untrusted Code • Protecting computing host platforms from untrusted mobile code • Java applets • ActiveX controls • JavaScripts • VBscripts/macros • multimedia files

  3. Properties of Mobile Code • Comes in a variety of forms • Often runs unannounced and unbeknownst to the user • Runs with the privilege of the user • Distributed in executable form • Run in multiple threads • Can launch other programs

  4. Mobile Code Trojans: Do you know what you are running? • Demo of hostile Java applet • Ed Felten of Princeton University: “Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”

  5. Technical Objectives • Prevent untrusted mobile code from: • writing to file system • reading from file system • executing programs • network access except those on permitted ports • reading/writing to/from system devices • Detect/prevent previously unseen mobile code attacks

  6. source code exec compiler code boundary controller Mobile Code Security Protection Means - type safety - annotation - PCC - static checks Originating site Host site Protection Means - firewall/scanning - wrapping/SFI - VM/RTS extens - dynamic checks - DTE/sandboxing code xform interpreter kernel

  7. Language-based Limited to a particular language One policy does not fit all Still need dynamic checks Code Wrapping address containment only bypassable difficult to wrap all code Firewalls/Scanners binary policies novel code defeats scanners Interpreter Particular to code Different models for different code Kernel protection requires OS extensions policy specification Observations on Protection Mechanisms

  8. Sandboxing Approaches and Pitfalls • Wrap API calls for mobile code threads • code can make direct calls to kernel • code can alter memory of other threads • Wrap kernel calls for large applications • policies for browsers are necessarily lax and problematic for preventing malicious behavior from mobile code.

  9. Technical Approach • Specify security-policy in code/platform- independent language • Separate policy specification from policy enforcement • Compile policies to specific platform • Address policy problems for mobile code host platforms • Implement kernel extensions for WinNT/Solaris

  10. Applying Approach to the Windows NT Platform • Wrap access to system resources in kernel (ring 0) --- API wrapping is bypassable • file system, registry, network, devices • Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources

  11. WinNT Architecture

  12. Sandboxing Win32 Processes

  13. Sandboxing on Solaris

  14. Developing Policies for Mobile Code Hosts • Most mobile code hosts are large multi-use applications: • Web browsers, mailers, desktop automation (word processors, spreadsheets, etc.) • These applications necessarily need to read and write to file system, add new modules, read and write to network resources. • Problem: how to develop a useful policy in light of these multi-use requirements

  15. Potential Solutions • Wrap mobile code threads • Problem: mobile code can corrupt mobile code host memory • Wrap entire application with restrictive policy • Problem: makes desktop applications useless • Note when application executes mobile code and implement strict policy then

  16. Technical Hurdles • Developing expressive, robust, code/platform-independent, and simple policy specification language • Performance penalties with kernel wrapping approach • Determining when mobile code is executing • Addressing DoS/resource consumption attacks

  17. Quantitative Metrics • Benchmark process performance with and without kernel wrapping • Evaluate sandbox approach against malicious mobile code: • hostile Java applets • hostile ActiveX controls • JavaScripts that use controls • Compare against other sandboxing approaches

  18. Expected Achievements • Develop and release kernel wrapping libraries for Windows NT • Develop and release sandbox for mobile code platforms • Evaluate approach against malicious mobile code • Overcome hurdles in state-of-the-art sandboxing

  19. Task Schedule • Year 1 • Develop policy specification language • Build kernel level filter drivers for NT • Develop sandbox monitor & implement policies • Benchmark Windows NT prototype against attacks • Benchmark performance penalty of kernel-level wrapping

  20. Task Schedule (cont’d) • Year 2 • Develop functions for processing Solaris callbacks using the /proc interface • Develop sandbox shell • Create an audit monitor for logging system calls • Adapt sandbox monitor for Solaris • Benchmark prototype

  21. Technology Transfer • Release kernel-level wrapping libraries to the public domain • Support full observability and controllability of Win32 processes • Support intrusion detection initiatives on Win32 platform • Release sandboxing technology

  22. Questions? • Contact info: • anup.ghosh@computer.org • www.rstcorp.com • www.rstcorp.com/papers/ • www.rstcorp.com/~anup/ • www.rstcorp.com/books/ecs/

More Related