lecture 5 on safes sandboxes and spies
play

Lecture #5: On Safes, Sandboxes, and Spies 1 Now that we have - PowerPoint PPT Presentation

Dec 31, 2023 •285 likes •626 views

Computer Science 161 Fall 2016 Popa and Weaver Lecture #5: On Safes, Sandboxes, and Spies 1 Now that we have some concepts... Its time for a more deep dive Computer Science 161 Fall 2016 Popa and Weaver Use this as a review of what

  1. Computer Science 161 Fall 2016 Popa and Weaver Lecture #5: 
 On Safes, 
 Sandboxes, and Spies 1

  2. Now that we have some concepts... Its time for a more deep dive Computer Science 161 Fall 2016 Popa and Weaver • Use this as a review of what we've learned so far and putting it into action • Deep Dive #1: Safes • Requirements • Cost/benefit tradeo ff s • Detection & response countermeasures • Deep Dive #2: Sandboxes • Detailed concept and objectives • How to Sandbox on Linux, Old School • How to Sandbox on Linux, New School • Deep Dive #3: Spies 2

  3. So You Want to Buy a Safe... Computer Science 161 Fall 2016 Popa and Weaver • What are the actual requirements? • Protect against: • Fire damage? • Low Grade Threats? • Legal Liability? • Determined Theft? 3

  4. Fire Damage Computer Science 161 Fall 2016 Popa and Weaver • Most "safes" you buy at O ffi ce Depot are not actual safes... • They are not rated nor even well designed to keep out a burglar • Rather, they are "fire safes": designed to prevent damage in case of a file • Often rated by Underwriters Laboratories (UL): means tested to a given standard • Two big categories • Documents/guns/etc: Keeps temperatures below 350F • Will keep that passport from burning • Data safes: Keeps temperatures below 125F and humidity below 80% • Computer media much more delicate • Testing also indicates duration • Security lesson: Know what you are protecting and what your threat is • Don't expect a document-rated fire safe to keep a hard drive safe from damage in a fire • Don't expect either to meaningfully stop a teenager with a crowbar • And do your threat modeling before you commit to a security procedure! 4

  5. Low-Threat Entry & 
 Legal Liability Computer Science 161 Fall 2016 Popa and Weaver • Some safes are concerned with rather low-threat attackers • Toddlers and the like • Classic example are CA state mandated "gun" locks • A long list of "approved" devices • That often can't even keep a toddler out! • Security Lesson: Checkbox security and real security are often two di ff erent things 5

  6. High Threat: 
 Ratings Computer Science 161 Fall 2016 Popa and Weaver • UL Listed ratings for various level of attackers • Residential Security Container: • 5 minutes by a professional with hammer etc • Ratings up from there • TL-15 • 15 minutes with power tools • TRTL-30 • 30 minutes with power tools or cutting torch • TXTL-60X6 • 60 minutes, working on all 6 sides, and the attacker even gets 
 to use 8 ounces of nitroglycerine! • These are conservative ratings: • They assume an attacker with the proper set of tools 
 and knowledge of the safe's construction oe • Shannon's Maxim: "The enemy knows the system" • Kerckho ff s's Principle: "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." 6

  7. Detection and Response Computer Science 161 Fall 2016 Popa and Weaver • A safe doesn't have to be a passive device!! • In addition to the burglar alarms • Relockers: Fail closed when under attack • EG, a piece of glass which holds spring-loaded bolts open • If the glass ever breaks, the additional bolts close and stay closed • Very expensive false positives! 7

  8. The Sandbox... Computer Science 161 Fall 2016 Popa and Weaver • You have a lot of crappy code that take input from hostile users • Often written in C/C++ • In an ideal world, you'd extinguish the dumpster fire... • But if it is only burning within the dumpster, is it really harmful? • The sandbox generally covers an entire process • That way one can take advantage of operating-specific features that allow a process to restrict what it is allowed to do 8

  9. Why Sandbox At All? Computer Science 161 Fall 2016 Popa and Weaver • The sandbox is mostly good at making C/C++ memory exploits no longer exploitable • Now the attacker needs to both exploit the C code AND exploit a weakness in the sandbox • Defense in depth... • But why bother with defense in depth? • Because its cheaper! • Cheaper to keep using the same crappy C and C++ code and put it in a letterbox than it is actually rewriting the code in a secure language! 9

  10. Sandbox Objectives Computer Science 161 Fall 2016 Popa and Weaver • From the Chromium Project: 
 https://www.chromium.org/developers/design-documents/ sandbox • Don't Reinvent the Wheel • Principle of Least Privilege • Assume Sandboxed Code is Malicious Code • Be Nimble • Emulation is Not Security 10

  11. Don't Reinvent The Wheel Computer Science 161 Fall 2016 Popa and Weaver • Modern operating systems o ff er di ff erent mechanisms for containment • Modifying the OS to ad a new containment feature is going to be a loser: 
 you will get it wrong • When security systems require modifying the OS its often a big danger sign 11

  12. The Principle of Least Privilege Computer Science 161 Fall 2016 Popa and Weaver • In an ideal world, running the code in a sandbox should not require any more privileges than a normal user • This is not the case on old-school Linux • This is the case on new-school Linux and Windows • This is critical: You don't want your sandboxing to make things worse! • If your sandbox does require root you must design it to give up those privileges • Also, whatever mechanism must be inheritable: • Any process launched by a sandbox process must operate under the same strict restrictions • OR the sandboxed process MUST NOT be able to launch another process! 12

  13. Assume Sandboxed Code is 
 Malicious Code Computer Science 161 Fall 2016 Popa and Weaver • The sandbox must work if the code within it is compromised by an attacker • So simply assume for the purposes of the sandbox that the code you are running is already compromised • Must ensure complete mediation : • After the sandbox itself hands control over to the running code, that code must not be able to access any resource beyond that necessary to perform its operation • And that which it can access must be checked and treated as potentially hostile input 13

  14. Be Nimble Computer Science 161 Fall 2016 Popa and Weaver • Sandboxing adds overhead... • But its often important to not add too much overhead, otherwise it gets unused • So make an assumption: • For correctness, you must assume malicious code • For performance, you can assume only correct code • Allows you to optimize your performance for the "good" case 14

  15. Emulation is Not Security Computer Science 161 Fall 2016 Popa and Weaver • Emulation primitives (Virutal Machines etc) are often not designed as security sandboxes! • Relying on something misdesigned for sandboxing can be a problem! 15

  16. The Broker and the 
 Target Computer Science 161 Fall 2016 Popa and Weaver • Most sandboxes separate out the problem into separate components • That run as separate processes • The Broker is the reference monitor/trusted computing base • Its job is to start up the targets • ALL requests for anything sensitive in the target must be passed to the broker • The target is the sandboxed code • Establish communication with the broker • Provide an API for talking to the broker • And then yield all other privileges 16

  17. Robustness... Computer Science 161 Fall 2016 Popa and Weaver • The sandboxed process also can now fail gracefully • And not take the rest of the program down with it • So you design around the notions of sandboxed programs failing 17

  18. And Don't Reinvent the Wheel #2: 
 Just Download Someone Else's! Computer Science 161 Fall 2016 Popa and Weaver • Mozilla is finally adding sandboxing to Firefox... • Thanks to Mitar for the note • For Windows: • Wrapper around Chrome's sandbox • For Linux: • Uses seccomp as the building block 18

  19. Old School Unix Sandboxing: 
 the chroot jail Computer Science 161 Fall 2016 Popa and Weaver • People have wanted sandboxes for a long time... • Far longer than the OSs have provided fine grained mediation necessary to create sandboxes • The gen-1 Unix Sandbox: • The chroot system call changes the definition / for the invoking process • Thus it enforces a property: • The process (and all processes it invokes, directly or indirectly) can not read or write to any new file outside the new directory But can still access existing files • 19

  20. Limitations of chroot Computer Science 161 Fall 2016 Popa and Weaver • It is a privileged operation! • Because you can do things that would compromise the system otherwise: • Create a directory with a file name etc/sudoers with the appropriate context • Now chroot to that directory • Now invoke sudo • Voila, you have root! So any program using chroot must then drop it privileges to run as "nobody" or an otherwise unknown • user • It does not a ff ect system call operation • So a "jailed" process can still access the network, call the kernel (and therefore perhaps kernel bugs), etc etc etc... • The "nobody" account actually still has privileges! Like the ability to interfere with other processes also owned by the "nobody" user 20

Recommend

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
EBA industry roundtable: regulatory sandboxes and innovation hubs EBAs premises, London, 3

EBA industry roundtable: regulatory sandboxes and innovation hubs EBAs premises, London, 3

EBA industry roundtable: regulatory sandboxes and innovation hubs EBAs premises, London, 3 September 2018 Overview Background and objectives Session 1: Regulatory sandboxes Session 2: Innovation hubs Next steps Industry

392 views • 15 slides
Inside East-West Espionage Edward Lucas Author, Deception: Spies, Lies and how Russia Dupes the

Inside East-West Espionage Edward Lucas Author, Deception: Spies, Lies and how Russia Dupes the

LSE public lecture Inside East-West Espionage Edward Lucas Author, Deception: Spies, Lies and how Russia Dupes the West International editor, The Economist Dr Paul Keenan Chair, LSE Suggested hashtag for Twitter users: #lseRussia @edwardlucas

387 views • 11 slides
Securi rity P y Principles & & Sandboxes CS 161: Computer Security Prof. Raluca Ada

Securi rity P y Principles & & Sandboxes CS 161: Computer Security Prof. Raluca Ada

Securi rity P y Principles & & Sandboxes CS 161: Computer Security Prof. Raluca Ada Popa January 25, 2018 Some slides credit Nick Weaver or David Wagner. Announcements Homework 1 is out, due on Monday Midterm 1 date Feb 15,

557 views • 54 slides
Joshua 2:1 Then Joshua son of Nun sent two men secretly from Shittim as spies, saying, Go,

Joshua 2:1 Then Joshua son of Nun sent two men secretly from Shittim as spies, saying, Go,

Joshua 2:1 Then Joshua son of Nun sent two men secretly from Shittim as spies, saying, Go, view the land, especially Jericho. Joshua 2:1 So they went, and entered the house of a prostitute whose name was Rahab, and spent the night

480 views • 14 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
Joshua 2:1-7 Joshua the son of Nun sent out of Shittim two men as spies secretly, saying, Go, view

Joshua 2:1-7 Joshua the son of Nun sent out of Shittim two men as spies secretly, saying, Go, view

Speaking A Lie In Love ? Is it ever the will of God for Christians to lie? Joshua 2:1-7 Joshua the son of Nun sent out of Shittim two men as spies secretly, saying, Go, view the land, and Jericho. They went and came into the house of a prostitute

1.1k views • 64 slides
Revolutionaries and Spies Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu

Revolutionaries and Spies Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu

Revolutionaries and Spies Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu Slides available on my preprint page Joint with Jane Butterfield, Greg Puleo, Cliff Smyth, Doug West, and Reza Zamani LSU Combinatorics Seminar 6

760 views • 75 slides
Revolutionaries and Spies on Graphs Daniel W. Cranston Virginia Commonwealth University

Revolutionaries and Spies on Graphs Daniel W. Cranston Virginia Commonwealth University

Revolutionaries and Spies on Graphs Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu Slides available on my webpage Joint with Jane Butterfield, Greg Puleo, Doug West, and Reza Zamani NIST ACMD Seminar 12 March 2013 A

826 views • 65 slides
Removing the MAC Retransmission Times from the RTT in TCP E. Dedu , S. Linck, F. Spies

Removing the MAC Retransmission Times from the RTT in TCP E. Dedu , S. Linck, F. Spies

Removing the MAC Retransmission Times from the RTT in TCP E. Dedu , S. Linck, F. Spies Laboratoire d'Informatique de l'Universit de Franche-Comt (LIFC) Montbliard, France Euromedia'2005 Toulouse, France 11 April 2005 Problem: RTT

331 views • 14 slides
Detecting Threats, Not Sandboxes (C (Characterizin ing Ne Network Environments to o Im

Detecting Threats, Not Sandboxes (C (Characterizin ing Ne Network Environments to o Im

Detecting Threats, Not Sandboxes (C (Characterizin ing Ne Network Environments to o Im Improve Mal alware Clas lassification) Blake Anderson (blake.anderson@cisco.com), David McGrew (mcgrew@cisco.com) FloCon 2017 January, 2017 Data

645 views • 21 slides
Revolutionaries and Spies II: Hypercubes & Complete Multipartite Graphs Douglas B. West

Revolutionaries and Spies II: Hypercubes & Complete Multipartite Graphs Douglas B. West

Revolutionaries and Spies II: Hypercubes & Complete Multipartite Graphs Douglas B. West Department of Mathematics University of Illinois at Urbana-Champaign west@math.uiuc.edu slides available on DBW preprint page Joint work with Jane V.

1.01k views • 83 slides
GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions

Marshall Heilman GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions Introduction 3 3 Evolution of Cyber Attacks 4 - Technical Problem - Unix Systems -- 1998 - Servers - Attacks Were a Nuisance -

948 views • 47 slides
Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

322 views • 30 slides
Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st

Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st

Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st Temple Destroyed by Nebuchadnezar 586 BC 2nd Temple Destroyed by Titus Legions 70 AD Bar Kochvah Revolt was Crushed 132 Rome Plowed & Salted

302 views • 13 slides
Enter The Sandbox: Developing Innovation Sandboxes for the Energy Sector PRESENTATION TITLE:

Enter The Sandbox: Developing Innovation Sandboxes for the Energy Sector PRESENTATION TITLE:

Enter The Sandbox: Developing Innovation Sandboxes for the Energy Sector PRESENTATION TITLE: RALEWAY BOLD ALL CAPS WHITE 18 Date: Raleway regular white 14 September 16, 2020 POLLUTION PROBE + Pollution Probe is Canadas oldest homegrown

778 views • 38 slides
Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20

Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20

Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20 January 2020 CPP20 saarland university computer science Definition Undecidability Fragments Discussion Extending the Coq Library of

985 views • 54 slides
Espionage in WWII: Operation Jedburgh Pre-WWII Spies - Pre WWII, espionage apparatus =

Espionage in WWII: Operation Jedburgh Pre-WWII Spies - Pre WWII, espionage apparatus =

Espionage in WWII: Operation Jedburgh Pre-WWII Spies - Pre WWII, espionage apparatus = primitive and weak - G-2 / ONI - FDR creates COI http://showblogs.syfy.com/caprican/opinion/corporate-espionage-is-it-going- too-far.php - FDR chooses

129 views • 11 slides
The Cost of Care Ben Spies-Butcher, Macquarie University Presented to Council of the Ageing NSW

The Cost of Care Ben Spies-Butcher, Macquarie University Presented to Council of the Ageing NSW

The Cost of Care Ben Spies-Butcher, Macquarie University Presented to Council of the Ageing NSW Forum, Paying the Price: Women, work and care Overview The dilemma of care Breadwinner families: the post-War solution The end of an old

485 views • 22 slides
Spies on Inclusion Policies, Programs, and Pamphlets The United States Intelligence Community

Spies on Inclusion Policies, Programs, and Pamphlets The United States Intelligence Community

ODNI O FFI CE O F T H E D I R ECTOR OF N AT IONA L I NT E LL IGE NCE Spies on Inclusion Policies, Programs, and Pamphlets The United States Intelligence Community Taking Diversity Policies to Action through Guidelines, Training, and

436 views • 15 slides
Conservation of Old Forests in a Dynamic Landscape Thomas Spies PNW Research Station Objectives

Conservation of Old Forests in a Dynamic Landscape Thomas Spies PNW Research Station Objectives

Conservation of Old Forests in a Dynamic Landscape Thomas Spies PNW Research Station Objectives Reserve-Matrix Concept Short and Long-term Concerns Discuss Alternatives A Variety of Land Land Use Allocations Allocations With

362 views • 19 slides
Climate Change: Potential Impacts on Forest Ecosystems Thomas A. Spies USDA Forest Service

Climate Change: Potential Impacts on Forest Ecosystems Thomas A. Spies USDA Forest Service

Climate Change: Potential Impacts on Forest Ecosystems Thomas A. Spies USDA Forest Service Pacific Northwest Research Station Corvallis, OR, USA August 5, 2008 Change in Mean Monthly Temperature (Degrees C) 2070-2099 vs 1961-1990 A1B B1

632 views • 23 slides
OPSEC Failure of Spies Cellular metadata cuts both ways Abu Omar

OPSEC Failure of Spies Cellular metadata cuts both ways Abu Omar

OPSEC Failure of Spies Cellular metadata cuts both ways Abu Omar http://www.youtube.com/watch?feature=player _detailpage&v=Pck96WXcLa0#t=57s http://www.youtube.com/watch?feature=play er_detailpage&v=Gq6gcVKVZ_g#t=132s Matthew Cole

349 views • 21 slides
E4 Spies and tools 29 October 2014 I - OPCoach I OPCoach About me Olivier Prouvost

E4 Spies and tools 29 October 2014 I - OPCoach I OPCoach About me Olivier Prouvost

E4 Spies and tools 29 October 2014 I - OPCoach I OPCoach About me Olivier Prouvost Eclipse expert trainer and committer (E4 Tools) olivier.prouvost@opcoach.com @OPCoach_Eclipse About OPCoach Company

376 views • 24 slides

More recommend