220 likes | 379 Views
Sandboxing Mobile Code Execution Environments. www.rstcorp.com. Anup K. Ghosh, Ph.D. anup.ghosh@computer.org. DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ. The Problem We are Addressing: Untrusted Code.
E N D
Sandboxing Mobile Code Execution Environments www.rstcorp.com Anup K. Ghosh, Ph.D. anup.ghosh@computer.org DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ
The Problem We are Addressing: Untrusted Code • Protecting computing host platforms from untrusted mobile code • Java applets • ActiveX controls • JavaScripts • VBscripts/macros • multimedia files
Properties of Mobile Code • Comes in a variety of forms • Often runs unannounced and unbeknownst to the user • Runs with the privilege of the user • Distributed in executable form • Run in multiple threads • Can launch other programs
Mobile Code Trojans: Do you know what you are running? • Demo of hostile Java applet • Ed Felten of Princeton University: “Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”
Technical Objectives • Prevent untrusted mobile code from: • writing to file system • reading from file system • executing programs • network access except those on permitted ports • reading/writing to/from system devices • Detect/prevent previously unseen mobile code attacks
source code exec compiler code boundary controller Mobile Code Security Protection Means - type safety - annotation - PCC - static checks Originating site Host site Protection Means - firewall/scanning - wrapping/SFI - VM/RTS extens - dynamic checks - DTE/sandboxing code xform interpreter kernel
Language-based Limited to a particular language One policy does not fit all Still need dynamic checks Code Wrapping address containment only bypassable difficult to wrap all code Firewalls/Scanners binary policies novel code defeats scanners Interpreter Particular to code Different models for different code Kernel protection requires OS extensions policy specification Observations on Protection Mechanisms
Sandboxing Approaches and Pitfalls • Wrap API calls for mobile code threads • code can make direct calls to kernel • code can alter memory of other threads • Wrap kernel calls for large applications • policies for browsers are necessarily lax and problematic for preventing malicious behavior from mobile code.
Technical Approach • Specify security-policy in code/platform- independent language • Separate policy specification from policy enforcement • Compile policies to specific platform • Address policy problems for mobile code host platforms • Implement kernel extensions for WinNT/Solaris
Applying Approach to the Windows NT Platform • Wrap access to system resources in kernel (ring 0) --- API wrapping is bypassable • file system, registry, network, devices • Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources
Developing Policies for Mobile Code Hosts • Most mobile code hosts are large multi-use applications: • Web browsers, mailers, desktop automation (word processors, spreadsheets, etc.) • These applications necessarily need to read and write to file system, add new modules, read and write to network resources. • Problem: how to develop a useful policy in light of these multi-use requirements
Potential Solutions • Wrap mobile code threads • Problem: mobile code can corrupt mobile code host memory • Wrap entire application with restrictive policy • Problem: makes desktop applications useless • Note when application executes mobile code and implement strict policy then
Technical Hurdles • Developing expressive, robust, code/platform-independent, and simple policy specification language • Performance penalties with kernel wrapping approach • Determining when mobile code is executing • Addressing DoS/resource consumption attacks
Quantitative Metrics • Benchmark process performance with and without kernel wrapping • Evaluate sandbox approach against malicious mobile code: • hostile Java applets • hostile ActiveX controls • JavaScripts that use controls • Compare against other sandboxing approaches
Expected Achievements • Develop and release kernel wrapping libraries for Windows NT • Develop and release sandbox for mobile code platforms • Evaluate approach against malicious mobile code • Overcome hurdles in state-of-the-art sandboxing
Task Schedule • Year 1 • Develop policy specification language • Build kernel level filter drivers for NT • Develop sandbox monitor & implement policies • Benchmark Windows NT prototype against attacks • Benchmark performance penalty of kernel-level wrapping
Task Schedule (cont’d) • Year 2 • Develop functions for processing Solaris callbacks using the /proc interface • Develop sandbox shell • Create an audit monitor for logging system calls • Adapt sandbox monitor for Solaris • Benchmark prototype
Technology Transfer • Release kernel-level wrapping libraries to the public domain • Support full observability and controllability of Win32 processes • Support intrusion detection initiatives on Win32 platform • Release sandboxing technology
Questions? • Contact info: • anup.ghosh@computer.org • www.rstcorp.com • www.rstcorp.com/papers/ • www.rstcorp.com/~anup/ • www.rstcorp.com/books/ecs/