54
TxBox: Building Secure, Efficient Sandboxes with System Transactions Suman Jana Vitaly Shmatikov The University of Texas at Austin Donald E. Porter Stony Brook University

TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

TxBox: Building Secure, Efficient Sandboxes with

System Transactions

Suman Jana Vitaly Shmatikov

The University of Texas at Austin

Donald E. Porter

Stony Brook University

Page 2: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Untrusted code is everywhere !

Page 3: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Untrusted code is everywhere !

Page 4: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Untrusted code is everywhere !

Page 5: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Sandbox restricts untrusted code

Files it can read/write

System calls and arguments it can use

sandbox

Sandbox: restrict untrusted code

Page 6: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Properties a sandbox should have

Uncircumventability

Fidelity

Separation policy enforcement and policy specification

Performance

completely understand effects of untrusted

code on host

Page 7: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

A quick survey of some sandboxing techniques

Page 8: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Static Analysis

detect malicious code using static-analysis

untrusted code

static-analysis is imperfect:

false negatives

execute code

if benign

Page 9: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Incorrect mirroring of system state

Time of check to time of use (TOCTOU) attacks

untrusted code

system call interposition

layer

System call interposition

syscallargs

ret code

syscallargs

ret code

OS system call

implementation

Page 10: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Building sandboxes with VMs/emulators

sandbox

VM/emulator

execute copy ofuntrusted code

executeuntrusted

code

if benign

Page 11: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Building sandboxes with VMs/emulators

sandbox

VM/emulator

execute copy ofuntrusted code

executeuntrusted

code

if benignif (inside VM/Emulator)benign actions

elsemalicious actions

split personality attack

Page 12: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Fidelity: necessary for uncircumventability

Understand behavior of untrusted code

Semantic gaps can lead to circumvention

Coherent view of all actions performed by untrusted code

System calls and arguments

All affected files (read/write)

Page 13: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Sandbox policies

How should a sandbox decide which actions to allow/deny ?

Page 14: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

least privilege model

Whitelist minimal set of operations needed for correct functionality of untrusted code

Users only have partial information

Difficult to implement in practice

Overestimate: untrusted code can cause more damage

Underestimate: crippled functionality

Page 15: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Least privilege model: difficulties

untrusted video codec

read ./input.avi

input.aviallow read input.avi

sandbox

write ./out.mpgallow write out.mpg

Page 16: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Least privilege model: difficulties

untrusted video codec

read ./input.avi

input.aviallow read input.avi

sandbox

write ./out.mpgallow write out.mpg

write ./tmp123

Page 17: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Least privilege model: difficulties

untrusted video codec

read ./input.avi

input.aviallow read input.avi

sandbox

write ./out.mpgallow write out.mpg

write ./tmp123

do not know the name a priori

Page 18: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Least privilege model: difficulties

untrusted video codec

read ./input.avi

input.avi

sandbox

write ./out.mpg

write ./tmp123 allow access to files in current

directory

not least privilege anymore

Page 19: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Least privilege model: difficulties

untrusted video codec

read ./input.avi

input.avi

sandbox

write ~/bash.rc

write ./unrelated allow access to files in current

directory

violation detected and blocked

damagealready done

Page 20: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Recoverability

Once a sandboxed process is detected doing anything bad, rollback all changes to be safe

Real sandboxes have imperfect policies

Sandboxes with perfect policies may not need recoverability

can not always enforce least privilege

only include a subset of possible malicious actions

Page 21: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Recoverability can increase parallelism

security checks(e.g. virus scanning)

parallel

sandboxed code

Page 22: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Recoverability can increase parallelism

security checks(e.g. virus scanning)

parallel

sandboxed code

is sandboxed codemalicious ?

Page 23: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Recoverability can increase parallelism

security checks(e.g. virus scanning)

parallel

sandboxed code

is sandboxed codemalicious ? yes

Page 24: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Recoverability can increase parallelism

security checks(e.g. virus scanning)

parallel

sandboxed code

is sandboxed codemalicious ? yes recover

Page 25: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Properties a sandbox should have

Uncircumventability

Separation policy enforcement and policy specification

Performance

Recoverability

Page 26: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

OS

file A file B

Page 27: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

system call

OS

file A file B

Page 28: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

system call

transactional work-set

OS

file A file B

modified file A

Page 29: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

system call

transactional work-set

OS

file A file B

modified file B

modified file A

Page 30: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

system call

abort/commit

transactional work-set

OS

file A file B

modified file B

modified file A

Page 31: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

commit

OS

file A file B

modified file A

modified file B

make changes visible to other processes

Page 32: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS transactionsspeculative execution

commit

OS

file A file B

modified file A

modified file B

make changes visible to other processes

Page 33: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Security needs transactions

speculatively execute untrusted code

transactional work-set abort

commitno

yes

policy violation

?

Page 34: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Security needs transactions

speculatively execute untrusted code

transactional work-set abort

commitno

yes

policy violation

?

performance (no blocking)

uncircumventability

recoverability

Page 35: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

OS support for transactions

TxOS : Porter et al. SOSP 2009

Speculative execution support for 150+ system calls

Provides ACID semantics

Originally done for handling concurrency

Page 36: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Insight: transactions are great match for security

Execute untrusted code inside a transaction

Make security decisions by checking work-set

Parallelize security checks with program execution

Abort transaction if anything malicious is detected

TxBox

Page 37: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Insight: transactions are great match for security

Execute untrusted code inside a transaction

Make security decisions by checking work-set

Parallelize security checks with program execution

Abort transaction if anything malicious is detected

TxBox

Page 38: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Evaluation

Can TxBox isolate large real-world programs?

FFmpeg : audio/video codec

SpiderMonkey : JavaScript engine

Vim : editor

How much performance/memory overhead does TxBox incur ?

Page 39: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

TxBox: performance overhead

< 20 %

On average TxBox causes less than < 20% runtime overhead compared to Linux

Page 40: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

TxBox: memory overhead

2X

On average TxBox execution of a process takes 2x more memory compared to regular Linux execution

Page 41: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

TxBox: parallel antivirus scanning

ClamAV “on-open” scan

...

postmark

Page 42: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

TxBox parallelization gain (ClamAV scanning)

230 %

host had 4 cores

Page 43: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Conclusion: security needs transactions

Speculatively execute untrusted code

Rollback if any malice is detected

Inspect all effects of the untrusted process at the right level of abstraction

Prevent circumvention and evasion

Page 44: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Conclusion: security needs transactions

Speculatively execute untrusted code

Rollback if any malice is detected

Inspect all effects of the untrusted process at the right level of abstraction

Prevent circumvention and evasion

[email protected]

Page 45: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege
Page 46: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

Recoverability: output commit problem

How to maintain recoverability if an untrusted process performs network i/o ?

Unsolvable in general, we do the next best thing

Always preserve local recoverability

Deny network i/o and continue

Execute network i/o outside of transaction and continue

Page 47: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

TxBox: implementation issues

TxOS transactions need cooperative processes calling

xbegin

xend

Untrusted processes are not co-operative

Support “forced” transactions

Implement policy manager and policy enforcer

See paper for details

Page 48: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

Building sandboxes with system call interposition

kernel

user-space

system call wrapper

system call

syscall args sandbox

allow/deny

should allow ?

Page 49: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

Building sandboxes with system call interposition

kernel

user-space

system call wrapper

system call

system call specific handler

syscall args sandbox

allow/deny

should allow ?

if allowed

Page 50: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

Building sandboxes with system call interposition

kernel

user-space

system call wrapper

system call

system call specific handler

syscall args sandbox

allow/deny

should allow ?

possible race condition

if allowed

Page 51: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

syscall args

Time of check to time of use (TOCTOU) attacks

kernel

user-land

system call wrapper

system call

untrusted code

(child)

fork

Page 52: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

syscall args

Time of check to time of use (TOCTOU) attacks

sandbox

kernel

user-land

system call wrapper

system call

untrusted code

(child)

fork

should allow ?

allow

Page 53: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

syscall args

Time of check to time of use (TOCTOU) attacks

sandbox

kernel

user-land

system call wrapper

system call

system call specific handler

untrusted code

(child)

fork

overwrite

should allow ?

allow

Page 54: TxBox: Building Secure, Efficient Sandboxes with System ...suman/docs/txbox.pdf · Sandboxes with perfect policies may not need recoverability can not always enforce least privilege

sandboxed code

syscall args

Time of check to time of use (TOCTOU) attacks

sandbox

kernel

user-land

system call wrapper

system call

system call specific handler

untrusted code

(child)

fork

overwrite

should allow ?

allow