practical and effective sandboxing for non root users
play

Practical and Effective Sandboxing for Non-root users Taesoo Kim - PowerPoint PPT Presentation

Aug 29, 2022 •35 likes •515 views

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

  1. Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL

  2. Why yet another sandbox for desktop applications? ● There are many existing sandbox mechanisms – Chroot / Lxc (Unix/Linux) – Jail (Freebsd) – Seatbelt (Mac OS X) – VM? ... ● Difficult-to-use, requiring root privilege, or slow! 2

  3. TL;DR Our tool Unknown binary downloaded from the $ mbox -- ./downloaded-bin Internet ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 3

  4. TL;DR $ mbox -- ./downloaded-bin ... Network Summary: Where to connect? > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 4

  5. TL;DR $ mbox -- ./downloaded-bin ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Protecting the host filesystem Sandbox Root: from modification > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 5

  6. TL;DR $ mbox -- ./downloaded-bin ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> Revision-control-system like interface 6

  7. TL;DR Without root privilege! $ mbox -- ./downloaded-bin ... Network Summary: > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) > [11279] -> a00::2607:f8b0:4006:803:0 ... Sandbox Root: > /tmp/sandbox-11275 > N:/tmp/index.html [c]ommit, [d]iff, [i]gnore, [l]ist, [s]hell, [q]uit ?> 7

  8. Design overview ● Layered sandbox filesystem – Overlaying the host filesystem – Confining modification made by sandboxed processes – Persistent storage: in fact, just a regular directory ● System call interposition – Commodity OSes provide one for non-root users – Enabling a variety of applications: installing pkgs, restricting network, build/dev. env ... 8

  9. Design overview ● Layered sandbox filesystem – Overlaying the host filesystem – Confining modification made by sandboxed processes – Persistent storage: in fact, just a regular directory ● System call interposition – Commodity OSes provide one for non-root users – Enabling a variety of applications: installing pkgs, restricting network, build/dev. env ... 9

  10. Installing packages as normal user $ mbox -R -- apt-get install git (-R: emulate a fakeroot environment) ● Mbox provides a writable sandbox layer on top of the host filesystem – User owns the sandbox directory – Contain newly installed files, and package databases ● Mbox emulates a fakeroot environment – Use standard package managers without modification – Support: apt-get (Ubuntu), dpkg (Debian), pip (Python) 10

  11. Running unknown binary safely $ mbox -n -- ./downloaded-bin (-n: disable remote network accesses) ● Mbox protects the host filesystem from modifications ● Mbox restricts or monitors network accesses – Interpret socket-like system calls – Summarize network activity when terminated 11

  12. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Host Filesystem ~/.emacs 12

  13. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Sandbox Edit .emacs Read Write Sandbox FS ~/.emacs Host Filesystem ~/.emacs 13

  14. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Sandbox Edit .emacs Read Write Read Sandbox FS ~/.emacs Host Filesystem ~/.emacs 14

  15. Checkpointing filesystem $ mbox -i -- emacs ~/.emacs (-i: enable interactive commit-mode) Sandbox Edit .emacs Read Write Read Sandbox FS ~/.emacs Commit Host Filesystem ~/.emacs 15

  16. Build/development environment $ tree linux-git ... Sandbox FS +--mm--mmap.c *.o +-mlock.c Host Filesystem linux-git $ mbox -r outdir -- make (-r dir: specify a sandbox directory) ● Mbox can separate out the generated obj files – make clean == rm -rf outdir ● Mbox can also be used for virtual dev. env. – Install packages with standard package managers 16

  17. Outline ● Motivation / use cases ● Layered sandbox filesystem ● System call interposition (using seccomp/BPF) ● Implementation / evaluation ● Related work ● Summary 17

  18. Sandbox filesystem supports copy-on-write Sandboxed process Sandbox filesystem Host .emacs filesystem 18

  19. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, R) Read Sandbox filesystem Host .emacs filesystem 19

  20. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, RW) Sandbox filesystem Host .emacs filesystem 20

  21. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, RW) Sandbox filesystem .emacs Copy Host .emacs filesystem 21

  22. Sandbox filesystem supports copy-on-write Sandboxed process open(“.emacs”, RW) Read/Write Sandbox filesystem .emacs Copy Host .emacs filesystem 22

  23. Copy-on-write by rewriting path arguments Sandboxed process open(“.emacs”, RW) Read/Write Sandbox /tmp/sbox/ filesystem .emacs Copy Host .emacs filesystem 23

  24. Copy-on-write by rewriting path arguments /tmp/sbox/home/taesoo/.emacs Sandboxed process open(“.emacs”, RW) Read/Write Sandbox /tmp/sbox/ filesystem .emacs Copy Host .emacs filesystem 24

  25. All subsequent read/write should happen on the sandbox filesystem Sandboxed process open(“.emacs”, RW) ... open(“.emacs”, R) Read Sandbox filesystem .emacs Host .emacs filesystem 25

  26. All subsequent read/write should happen on the sandbox filesystem /tmp/sbox/home/taesoo/.emacs Sandboxed process open(“.emacs”, RW) ... open(“.emacs”, R) Read Sandbox /tmp/sbox/ filesystem .emacs Host .emacs filesystem 26

  27. Sandbox filesystem keeps track of deleted files Sandboxed process unlink(“.emacs”) ... Mbox Hashmap of deleted files .emacs Sandbox ... filesystem Host .emacs filesystem 27

  28. Sandbox filesystem keeps track of deleted files /tmp/sbox/home/taesoo/.emacs Sandboxed process unlink(“.emacs”) ... open(“.emacs”, R) Mbox Hashmap of Read deleted files .emacs Sandbox /tmp/sbox/ ... deleted filesystem .emacs Host .emacs filesystem 28

  29. Mbox doesn't have to interpose on every system call fd = open(“.emacs”, R) fd = open(“.emacs”, RW) read(fd, buf, size) write(fd, buf, size) ● After redirecting the path in open(), we don't have to interpose on read/write() system calls ● Mbox needs to interpose on 48 system calls getting a path argument to provide a layered sandbox filesystem 29

  30. Mechanism: system call interposition ● Ptrace is a common technique, but slow – Interpose entry/exit of every system call – Serialize system calls of child processes ● Using seccomp/BPF (>= Linux 3.5) – Seccomp is a security mechanism for isolating a process by allowing a certain set of system calls – Seccomp/BPF uses BPF (Berkeley Packet Filter) to specify rules for filtering system calls 30

  31. BPF program for interposition Mbox User space Kernel 31

  32. BPF program for interposition Mbox User space prctl() ① Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 32

  33. BPF program for interposition Mbox User space prctl() ① Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 33

  34. BPF program for interposition Sandboxed process Mbox exec() ② User space prctl() ① Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 34

  35. BPF program for interposition Sandboxed process Mbox exec() ② User space prctl() open(“/a", RW) ① ③ Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 35

  36. BPF program for interposition Sandboxed process Mbox exec() ② wait() User space prctl() open(“/a", RW) ① ③ Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) EVENT_SECCOMP ④ BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 36

  37. BPF program for interposition ptrace (PEEK/POKE) ⑤ “/a” “/tmp/sbox/a” → Sandboxed process Mbox exec() ② wait() User space prctl() open(“/a", RW) ① ③ Kernel Seccomp/BPF BPF_STMT(LD, OFF_SYSCALL) BPF_JUMP(#open, 0, 1) EVENT_SECCOMP ④ BPF_STMT(RET, TRACE) … BPF_STMT(RET, ALLOWED) BPF 37

  38. More story to come ... ● How to avoid time-of-check-to-time-of-use? ● How to avoid replicating OS state? ● ... Please, check the paper! 38

Recommend

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com

Minijail: Sandboxing software running on Linux kernels Jorge Lucangeli Obes jorgelo@google.com $ ps -eo pid,user,comm 1 root /sbin/init 2 root [kthreadd] ... 1468 message+ dbus-daemon --system --fork 1749 root

725 views • 38 slides
secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia Zsigmond (Wigner RCP) zsigmond.anna@wigner.mta.hu This tutorial Introductory presentation What is ROOT? (ROOT 6 series) Basic functionalities

822 views • 61 slides
ROOT and C++11 ROOT Users Workshop 2013 Benjamin Bannier Stony Brook University March 13, 2013

ROOT and C++11 ROOT Users Workshop 2013 Benjamin Bannier Stony Brook University March 13, 2013

ROOT and C++11 ROOT Users Workshop 2013 Benjamin Bannier Stony Brook University March 13, 2013 1 / 33 About me and Disclaimers Hi, I am Benjamin Bannier. graduate student at Stony Brook University Experimental Heavy Ion Physics with

648 views • 33 slides
Effective Communications and Practical Accommodations for Persons with Disabilities DECEMBER 3,

Effective Communications and Practical Accommodations for Persons with Disabilities DECEMBER 3,

Effective Communications and Practical Accommodations for Persons with Disabilities DECEMBER 3, 2015 Beyond the Bench ANAHEIM, CALIFORNIA ABOUT THE PRESENTER Linda McCulloh Effective Communications and Practical Accommodations for Persons

476 views • 28 slides
The SHiP perspective on root Oliver Lantwin on behalf of SHiP. [ oliver.lantwin@cern.ch ] root

The SHiP perspective on root Oliver Lantwin on behalf of SHiP. [ oliver.lantwin@cern.ch ] root

The SHiP perspective on root Oliver Lantwin on behalf of SHiP. [ oliver.lantwin@cern.ch ] root Users Workshop, Sarajevo 2018-09-13 What is SHiP? Future experiment designed to look for super-weakly interacting new particles at the intensity

313 views • 20 slides
Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan

Practical Advances in Complex Root Clustering Collaborative and ongoing works R. Imbach 1 , V. Pan 2 , M. Pouget 3 , C. Yap 1 1 Courant Institute of Mathematical Sciences, New York University, USA 2 Lehman College, City University of New York, USA

1.27k views • 100 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John,

Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John,

Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain , Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science Department Stony Brook University 1

616 views • 59 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz

Crowdsourced Conformance Testing via Remote Sandboxing Joe Gibbs Politz http://www.batchgeo.com Remote Sandboxing? Students' interpreters g r a d e . r k t 1 6 0 0 t i m e s ? Students' interpreters g r a d e

446 views • 15 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code

Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code

Introduction Background Analysis infrastructure Evaluation Policy generation Limitations Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy Vitor Monte Afonso 1 , Antonio Bianchi 2

524 views • 34 slides
A Cost-Effective and Practical Remedial Alternative Paul R. Lear, Ph.D. Manufactured Gas

A Cost-Effective and Practical Remedial Alternative Paul R. Lear, Ph.D. Manufactured Gas

In-situ Stabilization at MGP Sites A Cost-Effective and Practical Remedial Alternative Paul R. Lear, Ph.D. Manufactured Gas Plants Starting in late 1900s, gas was manufactured by heating coal in specialized oven Common in many

495 views • 30 slides
LETS GET PERSONAL AND PRACTICAL: EFFECTIVE SELF-MANAGED CARE FOR TODAY AND THE FUTURE

LETS GET PERSONAL AND PRACTICAL: EFFECTIVE SELF-MANAGED CARE FOR TODAY AND THE FUTURE

LETS GET PERSONAL AND PRACTICAL: EFFECTIVE SELF-MANAGED CARE FOR TODAY AND THE FUTURE INTRODUCING Tony Pilkington Jamie Eaton Managing Director Director The ADASS report & Survey The Challenge TOPICS Meaningful Information &

688 views • 37 slides
Practical Guidance on the Development of a Non-cancer Hazard Range for Effective Risk Assessment

Practical Guidance on the Development of a Non-cancer Hazard Range for Effective Risk Assessment

Practical Guidance on the Development of a Non-cancer Hazard Range for Effective Risk Assessment and Risk Management of Contaminated Sites: A Case Study with Trichloroethylene and Other Chemicals Edward J. Pfau Hull & Associates, Inc.

539 views • 17 slides
Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of

Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of

Quantum Mechanics Quantum Logic Alternative Quantum . . . Square Root of Not: . . . Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of Not Is . . . Why Factoring Large . . . Fuzzy and Quantum

381 views • 17 slides
Getting the most out of the ROOT tutorials Automated conversion from ROOT macros to Jupyter

Getting the most out of the ROOT tutorials Automated conversion from ROOT macros to Jupyter

Getting the most out of the ROOT tutorials Automated conversion from ROOT macros to Jupyter notebooks Pau Miquel, Summer 2016 Supervisors: Pere Mat, Danilo Piparo 1 / 24 Outline 1. Overview 2. ROOT Tutorials 3. Conversion a. Steps

746 views • 30 slides
DRUG CHECKING SERVICE AN EFFECTIVE STRATEGY FOR CONTACTING WITH DRUG USERS AND DETECTING NEW

DRUG CHECKING SERVICE AN EFFECTIVE STRATEGY FOR CONTACTING WITH DRUG USERS AND DETECTING NEW

DRUG CHECKING SERVICE AN EFFECTIVE STRATEGY FOR CONTACTING WITH DRUG USERS AND DETECTING NEW TRENDS MIREIA VENTURA VILAMALA, PhD Asociacin Bienestar y Desarrollo. Energy Control Club Health, Zurich 9 June 2010 DRUG CHECKING A RISK REDUCTION

599 views • 22 slides
Thoughts on F-Root Futures Jeff Osborn President, Internet Systems Consortium Whats the

Thoughts on F-Root Futures Jeff Osborn President, Internet Systems Consortium Whats the

Thoughts on F-Root Futures Jeff Osborn President, Internet Systems Consortium Whats the Point? What is a root server? Root server traditions Current root server realities Post mortem of root attacks New root server

448 views • 11 slides
ROOT4J / SPARK-ROOT: ROOT I/O for JVM and Applications for Apache Spark V. Khristenko 1 J.

ROOT4J / SPARK-ROOT: ROOT I/O for JVM and Applications for Apache Spark V. Khristenko 1 J.

Introduction Functionality Examples Summary ROOT4J / SPARK-ROOT: ROOT I/O for JVM and Applications for Apache Spark V. Khristenko 1 J. Pivarski 2 1 Department of Physics The University of Iowa 2 Princeton University - DIANA ROOT I/O Workshop,

544 views • 19 slides
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 7:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 7:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 7: Focusing on Users and Their Tasks Lecture 10 7.1 User Centered Design Software development should focus on the needs of users Understand your

158 views • 13 slides

More recommend