privilege separation and isolation
play

Privilege separation and isolation Deian Stefan Slides adopted from - PowerPoint PPT Presentation

Aug 27, 2023 •310 likes •603 views

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser ("kernel") Full privileges (file system,

  1. CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage

  2. Chromium security architecture • Browser ("kernel") ➤ Full privileges (file system, networking) • Rendering engine ➤ Can have multiple processes ➤ Sandboxed • One process per plugin ➤ Full privileges of browser

  3. Privilege separation

  5. Sandboxing/isolation techniques • Layer 1: semantics layer ➤ setuid sandbox, prevent access to most resources • Layer 2: attack surface reduction ➤ seccomp-bpf, prevent access to kernel

  6. setuid sandbox (old) • Creates new network + PID namespace ➤ Why? • Chroot process to empty directory ➤ Why? ➤ E.g., chroot /tmp/guest 
 su guest ➤ open(“/etc/passwd”, “r”) translates to... 
 open(“/tmp/guest/etc/passwd”, “r”);

  7. setuid sandbox (old) • Creates new network + PID namespace ➤ Why? • Chroot process to empty directory ➤ Why? ➤ E.g., chroot /tmp/guest 
 su guest ➤ open(“/etc/passwd”, “r”) translates to... 
 open(“/tmp/guest/etc/passwd”, “r”);

  8. replacement for setuid sandbox • Namespaces (Linux v4) ➤ mnt ➤ pid ➤ net ➤ ipc ➤ user

  9. replacement for setuid sandbox • Namespaces (Linux v4) ➤ mnt ➤ pid + control groups = containers ➤ net ➤ ipc ➤ user

  10. Layer 2 sandbox: seccomp-bpf • seccomp - “secure computing mode” ➤ no sys calls except exit, sigreturn, read, and write to already open FDs • seccomp-bpf - syscall filtering ➤ allow/deny arbitrary set of system calls ➤ filter on syscall arguments • Why do we want this?

  11. How does seccomp-bpf work? • Compile BSD packet filters and load them into the kernel ➤ Why can’t you filter on pointers? ➤ Why do it in the kernel?

  12. More general: syscall interposition • Interpose on system calls ➤ Implement agent that does what you want • Challenges with this approach? ➤ Keeping state synchronized between kernel and agent • How do Firefox and Chrome deal with this? ➤ Not syscall interposition in pure form, but have trusted parent process broker fs, net, etc. access

  13. More general: syscall interposition • Interpose on system calls ➤ Implement agent that does what you want • Challenges with this approach? ➤ Keeping state synchronized between kernel and agent • How do Firefox and Chrome deal with this? ➤ Not syscall interposition in pure form, but have trusted parent process broker fs, net, etc. access

  14. More general: syscall interposition • Interpose on system calls ➤ Implement agent that does what you want • Challenges with this approach? ➤ Keeping state synchronized between kernel and agent • How do Firefox and Chrome deal with this? ➤ Not syscall interposition in pure form, but have trusted parent process broker fs, net, etc. access

  15. • What if we don’t have OS support? • What if we don’t trust the OS to get this right?

  16. Software-based fault isolation • You can use SFI to do whole program isolation ➤ Google’s Native Client did this • But, what was the original motivation behind SFI? ➤ Sandbox modules/make it easy to extend a program with untrusted code

  17. Software-based fault isolation • You can use SFI to do whole program isolation ➤ Google’s Native Client did this • But, what was the original motivation behind SFI? ➤ Sandbox modules/make it easy to extend a program with untrusted code

  18. Software-based fault isolation • Can we just do this with OS process isolation? ➤ A: yes, B: no • What’s the tradeoff? ➤ You often pay context-switch cost ➤ Hot-off-the press: with multiple cores you can get SFI and process-based isolation perf to be on par

  19. Software-based fault isolation • Can we just do this with OS process isolation? ➤ A: yes, B: no • What’s the tradeoff? ➤ You often pay context-switch cost ➤ Hot-off-the press: with multiple cores you can get SFI and process-based isolation perf to be on par

  20. Goals of SFI segment • Confidentiality • Integrity segment • Does it provide availability? ➤ A: yes, B: no

  21. How does it provide C & I? • Rewrite indirect jump, load, and store • Segment matching approach seg 1 ➤ Upside: can pinpoint offending instruction ➤ Downside? seg 2 • Address sandboxing approach ➤ Mask upper bits of target address ➤ Cost?

  22. How does it provide C & I? • Rewrite indirect jump, load, and store • Segment matching approach seg 1 ➤ Upside: can pinpoint offending instruction ➤ Downside? Performance! seg 2 • Address sandboxing approach ➤ Mask upper bits of target address ➤ Cost?

  23. How does it provide C & I? • Rewrite indirect jump, load, and store • Segment matching approach seg 1 ➤ Upside: can pinpoint offending instruction ➤ Downside? Performance! seg 2 • Address sandboxing approach ➤ Mask upper bits of target address ➤ Cost? 2 instructions per store + dedicated registers

  24. How does it provide C & I? seg 1 • Optimized address sandboxing approach ➤ Use register-plus-offset instruction mode seg 2 • What do we need for this to work?

  25. How does it provide C & I? seg 1 • Optimized address sandboxing approach ➤ Use register-plus-offset instruction mode seg 2 • What do we need for this to work?

  26. Are we done? ➤ A: yes, B: no

  27. Need to mediate syscalls This is super hard to get right in practice!

  28. Google’s Native Client

  29. Summary • Secure design principles ➤ Least privilege + privilege separation + isolation • Different ways to do this with diff tradeoffs: ➤ Use UIDs + namespaces + seccomp-bpf ➤ Use syscall interposition ➤ Use software-fault isolatoin

Recommend

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel and Suman Janna Some slides are from

1.03k views • 58 slides
Nailgun: Breaking the Privilege Isolation on ARM Zhenyu Ning COMPASS Lab Wayne State University

Nailgun: Breaking the Privilege Isolation on ARM Zhenyu Ning COMPASS Lab Wayne State University

Nailgun: Breaking the Privilege Isolation on ARM Zhenyu Ning COMPASS Lab Wayne State University Sep 23, 2019 Nailgun: Breaking the Privilege Isolation on ARM 1 Outline I Background I Introduction I Obstacles for Misusing the Traditional

1.44k views • 116 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun Cho, T aesoo Kim, Insik Shin (NDSS 16) Presented by Shivansh Chandnani CS 563 (Fall 2018) 3 rd party libraries are very popular in Android

1.12k views • 28 slides
Side-channels Deian Stefan Slides adopted from Stefan Savage, Nadia Heninger, Sunjay Cauligi

Side-channels Deian Stefan Slides adopted from Stefan Savage, Nadia Heninger, Sunjay Cauligi

CSE 127: Computer Security Side-channels Deian Stefan Slides adopted from Stefan Savage, Nadia Heninger, Sunjay Cauligi Context Isolation is key to building secure systems Used to implement privilege separation, least privilege and

1.21k views • 103 slides
GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February 2013 1 Outline Introduction to GSS-API Using GSS-API Introduction to GSS-Proxy GSS-Proxy components Kernel upcalls and

186 views • 18 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

787 views • 43 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

488 views • 22 slides
Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

695 views • 32 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of resources Reduce costs Run workloads in isolation Cannot observe others Security Isolation Running apps as different user not enough - privilege

274 views • 15 slides
I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net> Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege

800 views • 39 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca

In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca

In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca <philip.tricca@citrix.com> Background Xen does security well Value is added when VMs communicate / cooperate Strong isolation using hardware

451 views • 14 slides

More recommend