sandboxing mobile code execution environments
DESCRIPTION
Sandboxing Mobile Code Execution Environments. www.rstcorp.com. Anup K. Ghosh, Ph.D. [email protected]. DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ. The Problem We are Addressing: Untrusted Code. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/1.jpg)
Sandboxing Mobile Code Execution Environments
Anup K. Ghosh, [email protected]
DARPA Joint Intrusion Detection and Information Assurance Principal Investigator MeetingAugust 2-6, 1999Phoenix, AZ
www.rstcorp.com
![Page 2: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/2.jpg)
The Problem We are Addressing: Untrusted CodeProtecting computing host platforms
from untrusted mobile code Java applets ActiveX controls JavaScripts VBscripts/macros multimedia files
![Page 3: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/3.jpg)
Properties of Mobile CodeComes in a variety of formsOften runs unannounced and
unbeknownst to the userRuns with the privilege of the userDistributed in executable form Run in multiple threadsCan launch other programs
![Page 4: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/4.jpg)
Mobile Code Trojans: Do you know what you are running?Demo of hostile Java appletEd Felten of Princeton University:
“Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”
![Page 5: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/5.jpg)
Technical ObjectivesPrevent untrusted mobile code from:
writing to file system reading from file system executing programs network access except those on permitted
ports reading/writing to/from system devices
Detect/prevent previously unseen mobile code attacks
![Page 6: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/6.jpg)
Mobile Code Security
Originating site
Host site
compilersourcecode code
execProtection Means
- type safety- annotation- PCC- static checks
kernel
boundary controller
code xform
interpreter
Protection Means- firewall/scanning- wrapping/SFI- VM/RTS extens- dynamic checks- DTE/sandboxing
![Page 7: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/7.jpg)
Observations on Protection Mechanisms
Language-based Limited to a particular
language One policy does not fit all Still need dynamic checks
Code Wrapping address containment only bypassable difficult to wrap all code
Firewalls/Scanners binary policies novel code defeats
scannersInterpreter
Particular to code Different models for
different codeKernel protection
requires OS extensions policy specification
![Page 8: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/8.jpg)
Sandboxing Approaches and PitfallsWrap API calls for mobile code threads
code can make direct calls to kernel code can alter memory of other threads
Wrap kernel calls for large applications policies for browsers are necessarily lax
and problematic for preventing malicious behavior from mobile code.
![Page 9: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/9.jpg)
Technical ApproachSpecify security-policy in code/platform-
independent languageSeparate policy specification from policy
enforcementCompile policies to specific platformAddress policy problems for mobile code
host platformsImplement kernel extensions for
WinNT/Solaris
![Page 10: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/10.jpg)
Applying Approach to the Windows NT PlatformWrap access to system resources in
kernel (ring 0) --- API wrapping is bypassable file system, registry, network, devices
Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources
![Page 11: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/11.jpg)
WinNT Architecture
![Page 12: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/12.jpg)
Sandboxing Win32 Processes
![Page 13: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/13.jpg)
Sandboxing on Solaris
![Page 14: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/14.jpg)
Developing Policies for Mobile Code HostsMost mobile code hosts are large multi-
use applications: Web browsers, mailers, desktop automation
(word processors, spreadsheets, etc.) These applications necessarily need to read
and write to file system, add new modules, read and write to network resources.
Problem: how to develop a useful policy in light of these multi-use requirements
![Page 15: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/15.jpg)
Potential SolutionsWrap mobile code threads
Problem: mobile code can corrupt mobile code host memory
Wrap entire application with restrictive policy Problem: makes desktop applications useless
Note when application executes mobile code and implement strict policy then
![Page 16: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/16.jpg)
Technical HurdlesDeveloping expressive, robust,
code/platform-independent, and simple policy specification language
Performance penalties with kernel wrapping approach
Determining when mobile code is executing
Addressing DoS/resource consumption attacks
![Page 17: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/17.jpg)
Quantitative MetricsBenchmark process performance with
and without kernel wrappingEvaluate sandbox approach against
malicious mobile code: hostile Java applets hostile ActiveX controls JavaScripts that use controls
Compare against other sandboxing approaches
![Page 18: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/18.jpg)
Expected AchievementsDevelop and release kernel wrapping
libraries for Windows NT Develop and release sandbox for
mobile code platformsEvaluate approach against malicious
mobile codeOvercome hurdles in state-of-the-art
sandboxing
![Page 19: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/19.jpg)
Task ScheduleYear 1
Develop policy specification language Build kernel level filter drivers for NT Develop sandbox monitor & implement
policies Benchmark Windows NT prototype against
attacks Benchmark performance penalty of kernel-
level wrapping
![Page 20: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/20.jpg)
Task Schedule (cont’d)Year 2
Develop functions for processing Solaris callbacks using the /proc interface
Develop sandbox shell Create an audit monitor for logging
system calls Adapt sandbox monitor for Solaris Benchmark prototype
![Page 21: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/21.jpg)
Technology TransferRelease kernel-level wrapping
libraries to the public domainSupport full observability and
controllability of Win32 processesSupport intrusion detection
initiatives on Win32 platformRelease sandboxing technology
![Page 22: Sandboxing Mobile Code Execution Environments](https://reader035.vdocuments.site/reader035/viewer/2022081505/56815d4c550346895dcb5595/html5/thumbnails/22.jpg)
Questions?Contact info:
[email protected] www.rstcorp.com www.rstcorp.com/papers/ www.rstcorp.com/~anup/ www.rstcorp.com/books/ecs/