sandboxing mobile code execution environments
DESCRIPTION
Sandboxing Mobile Code Execution Environments. www.rstcorp.com. Anup K. Ghosh, Ph.D. [email protected]. DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ. The Problem We are Addressing: Untrusted Code. - PowerPoint PPT PresentationTRANSCRIPT
Sandboxing Mobile Code Execution Environments
Anup K. Ghosh, [email protected]
DARPA Joint Intrusion Detection and Information Assurance Principal Investigator MeetingAugust 2-6, 1999Phoenix, AZ
www.rstcorp.com
The Problem We are Addressing: Untrusted CodeProtecting computing host platforms
from untrusted mobile code Java applets ActiveX controls JavaScripts VBscripts/macros multimedia files
Properties of Mobile CodeComes in a variety of formsOften runs unannounced and
unbeknownst to the userRuns with the privilege of the userDistributed in executable form Run in multiple threadsCan launch other programs
Mobile Code Trojans: Do you know what you are running?Demo of hostile Java appletEd Felten of Princeton University:
“Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”
Technical ObjectivesPrevent untrusted mobile code from:
writing to file system reading from file system executing programs network access except those on permitted
ports reading/writing to/from system devices
Detect/prevent previously unseen mobile code attacks
Mobile Code Security
Originating site
Host site
compilersourcecode code
execProtection Means
- type safety- annotation- PCC- static checks
kernel
boundary controller
code xform
interpreter
Protection Means- firewall/scanning- wrapping/SFI- VM/RTS extens- dynamic checks- DTE/sandboxing
Observations on Protection Mechanisms
Language-based Limited to a particular
language One policy does not fit all Still need dynamic checks
Code Wrapping address containment only bypassable difficult to wrap all code
Firewalls/Scanners binary policies novel code defeats
scannersInterpreter
Particular to code Different models for
different codeKernel protection
requires OS extensions policy specification
Sandboxing Approaches and PitfallsWrap API calls for mobile code threads
code can make direct calls to kernel code can alter memory of other threads
Wrap kernel calls for large applications policies for browsers are necessarily lax
and problematic for preventing malicious behavior from mobile code.
Technical ApproachSpecify security-policy in code/platform-
independent languageSeparate policy specification from policy
enforcementCompile policies to specific platformAddress policy problems for mobile code
host platformsImplement kernel extensions for
WinNT/Solaris
Applying Approach to the Windows NT PlatformWrap access to system resources in
kernel (ring 0) --- API wrapping is bypassable file system, registry, network, devices
Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources
WinNT Architecture
Sandboxing Win32 Processes
Sandboxing on Solaris
Developing Policies for Mobile Code HostsMost mobile code hosts are large multi-
use applications: Web browsers, mailers, desktop automation
(word processors, spreadsheets, etc.) These applications necessarily need to read
and write to file system, add new modules, read and write to network resources.
Problem: how to develop a useful policy in light of these multi-use requirements
Potential SolutionsWrap mobile code threads
Problem: mobile code can corrupt mobile code host memory
Wrap entire application with restrictive policy Problem: makes desktop applications useless
Note when application executes mobile code and implement strict policy then
Technical HurdlesDeveloping expressive, robust,
code/platform-independent, and simple policy specification language
Performance penalties with kernel wrapping approach
Determining when mobile code is executing
Addressing DoS/resource consumption attacks
Quantitative MetricsBenchmark process performance with
and without kernel wrappingEvaluate sandbox approach against
malicious mobile code: hostile Java applets hostile ActiveX controls JavaScripts that use controls
Compare against other sandboxing approaches
Expected AchievementsDevelop and release kernel wrapping
libraries for Windows NT Develop and release sandbox for
mobile code platformsEvaluate approach against malicious
mobile codeOvercome hurdles in state-of-the-art
sandboxing
Task ScheduleYear 1
Develop policy specification language Build kernel level filter drivers for NT Develop sandbox monitor & implement
policies Benchmark Windows NT prototype against
attacks Benchmark performance penalty of kernel-
level wrapping
Task Schedule (cont’d)Year 2
Develop functions for processing Solaris callbacks using the /proc interface
Develop sandbox shell Create an audit monitor for logging
system calls Adapt sandbox monitor for Solaris Benchmark prototype
Technology TransferRelease kernel-level wrapping
libraries to the public domainSupport full observability and
controllability of Win32 processesSupport intrusion detection
initiatives on Win32 platformRelease sandboxing technology
Questions?Contact info:
[email protected] www.rstcorp.com www.rstcorp.com/papers/ www.rstcorp.com/~anup/ www.rstcorp.com/books/ecs/