ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)

8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)

1/22

Sandboxing Mobile Code

Execution Environments

Anup K. Ghosh, Ph.D.

[email protected]

DARPA Joint Intrusion Detection and

Information Assurance Principal Investigator Meeting

August 2-6, 1999

Phoenix, AZ

www.rstcorp.com


2/22


3/22

Properties of Mobile Code

Comes in a variety of forms

Often runs unannounced and

unbeknownst to the userRuns with the privilege of the user

Distributed in executable form

Run in multiple threads

Can launch other programs


4/22

Mobile Code Trojans:

Do you know what you are

running?Demo of hostile Java applet

Ed Felten of Princeton University:

Given the choice of safer systems or dancingpigs, the average user will always opt fordancing pigs.


5/22

Technical Objectives

Prevent untrusted mobile code from:

writing to file system

reading from file systemexecuting programs

network access except those on permitted

portsreading/writing to/from system devices

Detect/prevent previously unseen mobile

code attacks


6/22

Mobile Code Security

Originating site

Host site

compilersourcecode code

execProtection Means

- type safety

- annotation

- PCC

- static checks

kernel

boundary controller

code xform

interpreter

Protection Means

- firewall/scanning

- wrapping/SFI

- VM/RTS extens

- dynamic checks

- DTE/sandboxing


7/22

Observations on Protection

Mechanisms

Language-based

Limited to a particularlanguage

One policy does not fit all

Still need dynamic checks

Code Wrapping

address containment onlybypassable

difficult to wrap all code

Firewalls/Scanners

binary policies

novel code defeatsscanners

Interpreter

Particular to code

Different models fordifferent code

Kernel protection

requires OS

extensions


8/22

Sandboxing Approaches

and Pitfalls

Wrap API calls for mobile code threads

code can make direct calls to kernel

code can alter memory of other threads

Wrap kernel calls for large applications

policies for browsers are necessarily lax and

problematic for preventing malicious behaviorfrom mobile code.


9/22

Technical Approach

Specify security-policy in code/platform-independent language

Separate policy specification from policyenforcement

Compile policies to specific platform

Address policy problems for mobile codehost platforms

Implement kernel extensions for

WinNT/Solaris


10/22

Applying Approach to the

Windows NT Platform

Wrap access to system resources in kernel(ring 0) --- API wrapping is bypassable

file system, registry, network, devicesUse kernel extensions to WinNT known as

filter drivers (VxD programming) to hook

all access to system resources


11/22

WinNT Architecture


12/22

Sandboxing Win32

Processes


13/22

Sandboxing on Solaris


14/22

Developing Policies for

Mobile Code Hosts

Most mobile code hosts are large multi-use applications:

Web browsers, mailers, desktop automation(word processors, spreadsheets, etc.)

These applications necessarily need to readand write to file system, add new modules,read and write to network resources.

Problem: how to develop a useful policy inlight of these multi-use requirements


15/22

Potential Solutions

Wrap mobile code threads

Problem: mobile code can corrupt mobile

code host memoryWrap entire application with restrictive

policy

Problem: makes desktop applications uselessNote when application executes mobile

code and implement strict policy then


16/22

Technical Hurdles

Developing expressive, robust,code/platform-independent, and simple

policy specification languagePerformance penalties with kernel

wrapping approach

Determining when mobile code isexecuting

Addressing DoS/resource consumption

attacks


17/22

Quantitative Metrics

Benchmark process performance with andwithout kernel wrapping

Evaluate sandbox approach againstmalicious mobile code:

hostile Java applets

hostile ActiveX controlsJavaScripts that use controls

Compare against other sandboxing approaches


18/22

Expected Achievements

Develop and release kernel wrappinglibraries for Windows NT

Develop and release sandbox for mobilecode platforms

Evaluate approach against malicious

mobile codeOvercome hurdles in state-of-the-art

sandboxing


19/22

Task Schedule

Year 1

Develop policy specification language

Build kernel level filter drivers for NTDevelop sandbox monitor & implement

policies

Benchmark Windows NT prototype againstattacks

Benchmark performance penalty of kernel-level wrapping


20/22

Task Schedule (contd)

Year 2

Develop functions for processing Solaris

callbacks using the /proc interfaceDevelop sandbox shell

Create an audit monitor for logging systemcalls

Adapt sandbox monitor for Solaris

Benchmark prototype


21/22

Technology Transfer

Release kernel-level wrapping libraries tothe public domain

Support full observability andcontrollability of Win32 processes

Support intrusion detection initiatives on

Win32 platformRelease sandboxing technology


22/22

Questions?

Contact info:

[email protected]

www.rstcorp.comwww.rstcorp.com/papers/

www.rstcorp.com/~anup/

www.rstcorp.com/books/ecs/

Documents

ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)