sandboxing mobile code execution environments anup k. ghosh, ph.d. [email protected] darpa...
TRANSCRIPT
Sandboxing Mobile Code Execution Environments
Anup K. Ghosh, [email protected]
DARPA Joint Intrusion Detection and Information Assurance Principal Investigator MeetingAugust 2-6, 1999Phoenix, AZ
www.rstcorp.com
The Problem We are Addressing: Untrusted Code
Protecting computing host platforms from untrusted mobile code Java applets ActiveX controls JavaScripts VBscripts/macros multimedia files
Properties of Mobile Code
Comes in a variety of formsOften runs unannounced and
unbeknownst to the userRuns with the privilege of the userDistributed in executable form Run in multiple threadsCan launch other programs
Mobile Code Trojans: Do you know what you are running?Demo of hostile Java appletEd Felten of Princeton University:
“Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”
Technical Objectives
Prevent untrusted mobile code from: writing to file system reading from file system executing programs network access except those on permitted
ports reading/writing to/from system devices
Detect/prevent previously unseen mobile code attacks
Mobile Code Security
Originating site
Host site
compilersourcecode code
execProtection Means
- type safety- annotation- PCC- static checks
kernel
boundary controller
code xform
interpreter
Protection Means- firewall/scanning- wrapping/SFI- VM/RTS extens- dynamic checks- DTE/sandboxing
Observations on Protection Mechanisms
Language-based Limited to a particular
language One policy does not fit all Still need dynamic checks
Code Wrapping address containment only bypassable difficult to wrap all code
Firewalls/Scanners binary policies novel code defeats
scanners
Interpreter Particular to code Different models for
different code
Kernel protection requires OS extensions policy specification
Sandboxing Approaches and Pitfalls
Wrap API calls for mobile code threads code can make direct calls to kernel code can alter memory of other threads
Wrap kernel calls for large applications policies for browsers are necessarily lax
and problematic for preventing malicious behavior from mobile code.
Technical Approach
Specify security-policy in code/platform- independent language
Separate policy specification from policy enforcement
Compile policies to specific platformAddress policy problems for mobile code
host platformsImplement kernel extensions for
WinNT/Solaris
Applying Approach to the Windows NT Platform
Wrap access to system resources in kernel (ring 0) --- API wrapping is bypassable file system, registry, network, devices
Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources
WinNT Architecture
Sandboxing Win32 Processes
Sandboxing on Solaris
Developing Policies for Mobile Code Hosts
Most mobile code hosts are large multi-use applications: Web browsers, mailers, desktop automation
(word processors, spreadsheets, etc.) These applications necessarily need to read
and write to file system, add new modules, read and write to network resources.
Problem: how to develop a useful policy in light of these multi-use requirements
Potential Solutions
Wrap mobile code threads Problem: mobile code can corrupt mobile
code host memoryWrap entire application with restrictive
policy Problem: makes desktop applications
uselessNote when application executes mobile
code and implement strict policy then
Technical Hurdles
Developing expressive, robust, code/platform-independent, and simple policy specification language
Performance penalties with kernel wrapping approach
Determining when mobile code is executing
Addressing DoS/resource consumption attacks
Quantitative Metrics
Benchmark process performance with and without kernel wrapping
Evaluate sandbox approach against malicious mobile code: hostile Java applets hostile ActiveX controls JavaScripts that use controls
Compare against other sandboxing approaches
Expected Achievements
Develop and release kernel wrapping libraries for Windows NT
Develop and release sandbox for mobile code platforms
Evaluate approach against malicious mobile code
Overcome hurdles in state-of-the-art sandboxing
Task Schedule
Year 1 Develop policy specification language Build kernel level filter drivers for NT Develop sandbox monitor & implement
policies Benchmark Windows NT prototype
against attacks Benchmark performance penalty of
kernel-level wrapping
Task Schedule (cont’d)
Year 2 Develop functions for processing Solaris
callbacks using the /proc interface Develop sandbox shell Create an audit monitor for logging
system calls Adapt sandbox monitor for Solaris Benchmark prototype
Technology Transfer
Release kernel-level wrapping libraries to the public domain
Support full observability and controllability of Win32 processes
Support intrusion detection initiatives on Win32 platform
Release sandboxing technology
Questions?
Contact info: [email protected] www.rstcorp.com www.rstcorp.com/papers/ www.rstcorp.com/~anup/ www.rstcorp.com/books/ecs/