secmodel sandbox
play

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig - PowerPoint PPT Presentation

Dec 09, 2023 •508 likes •1.09k views

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

  1. secmodel_sandbox An application sandbox for NetBSD Stephen Herwig

  2. sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to reduce the attack surface in the event of an unforeseen vulnerability

  3. many os-level implementations - systrace - SELinux - AppArmor - seccomp(-bpf) - Apple’s Sandbox (formerly Seatbelt) - Capsicum - OpenBSD’s pledge syscall Rich design space: - which use cases are supported? - footprint (system-wide or process-wide) - are policies embedded in program or external? - when are policies loaded? - expressiveness of policies? - portability

  4. secmodel_sandbox high-level design - Implemented as a kernel module - Sandbox policies are Lua scripts - A process sets the policy script via an ioctl - The kernel evaluates the script using NetBSD’s experimental in-kernel Lua interpreter - The output of the evaluation are rules that are attached to the process’s credential and checked during privileged authorization requests

  5. secmodel_sandbox properties - Sandboxes are inherited during fork and preserved over exec - Processes may apply multiple policies: the sandbox is the union of all policies - Policies can only further restrict privileges - Rules may be boolean or Lua functions (functional rules) - Functional rules may be stateful and may dynamically create new rules or modify existing rules

  6. secmodel_sandbox properties - Sandboxes are inherited during fork and preserved over exec - Processes may apply multiple policies: the sandbox is the union of all policies - Policies can only further restrict privileges - Rules may be boolean or Lua functions (functional rules) - Functional rules may be stateful and may dynamically create new rules or modify existing rules

  7. sandbox policies: blacklist Policy Program sandbox.default(‘allow’); main() { -- no forking /* initialize */ sandbox.deny(‘system.fork’) . . . -- no networking sandbox(POLICY); sandbox.deny(‘network’) /* process loop */ -- no writing to files . . . sandbox.deny(‘vnode.write_data’) sandbox.deny(‘vnode.append_data’) return (0); } -- no changing file metadata sandbox.deny(‘vnode.write_times’) sandbox.deny(‘vnode.change_ownership’) sandbox.deny(‘vnode.write_security’)

  8. sandbox policies: functional rules sandbox.default(‘deny’) -- allow reading files sandbox.allow(‘vnode.read_data’) -- only allow writes in /tmp sandbox.on(‘vnode.write_data’, function(req, cred, f) if string.find(f.name, ‘/tmp/’) == 1 then return true else return false end end) -- only allow unix domain sockets sandbox.on(‘network.socket.open’, function(req, cred, domain, typ, proto) if domain == sandbox.AF_UNIX then return true else return false end end)

  9. sandbox-exec int main(int argc, char *argv[]) { sandbox_from_file(argv[0]); execv(argv[1], &argv[1]); return (0); } $ sandbox-exec no-network.lua /usr/pkg/bin/bash $ wget http://www.cs.umd.edu/ wget: unable to resolve host address ‘www.cs.umd.edu'

  10. kauth - kernel subsystem that handles all authorization requests within the kernel - clean room implementation of subsystem in macOS - separates security policy from mechanism

  11. kauth requests request := (scope, action [, subaction]) process machdep system vnode device network Scope tty_open rlimit cacheflush socket fork mount read_data Action bind Subaction set get open rawsock port privport update unmount

  12. kauth requests request := (scope, action [, subaction]) Example: creating a socket => (network, socket, open) process machdep system vnode network device Scope socket tty_open rlimit cacheflush fork mount read_data Action bind Subaction set get open rawsock port privport update unmount

  13. kauth request to syscall mapping Some kauth requests map directly to a syscall: system.mknod => mknod Some kauth requests map to multiple syscalls: process.setsid => {setgroups setlogin setuid setuid setreuid setgid setegid setregid} Some syscalls trigger one of several kauth requests, depending on the syscall arguments: mount(MNT_GETARGS) => system.mount.get mount(MNT_UPDATE) => system.mount.update Many syscalls do not trigger a kauth request at all: accept close dup execve flock getdents getlogin getpeername getpid getrlimit getsockname . . .

  14. kauth request flow kauth uses an observer pattern. syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  15. kauth request flow Subsystems interested in kauth requests register with kauth via kauth_listen_scope() . syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  16. kauth request flow Most syscalls issue an authorization request in their corresponding handler via kauth_authorize_action() . syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  17. kauth request flow kauth_authorize_action() iterates through each listener for the given scope, calling that listener’s callback. syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  18. kauth request flow Generally, if any listener returns DENY, the request is denied; if any returns ALLOW and none returns DENY, the request is allowed; otherwise, the request is denied. syscall(arg1, …, argn) user space kernel space kauth listener #1 syscall handler kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); kauth_authorize_action(cred, req, ctx); kauth int cb(cred, op, ctx) { . . . foreach (listener in scope) { return (KAUTH_RESULT_ALLOW); error = listener->cb(cred, op, ctx); } if (error == KAUTH_RESULT_ALLOW) allow = 1; else if (error == KAUTH_RESULT_DENY) fail = 1; kauth listener #2 } if (fail) return (EPERM); if (allow) return (0); kauth_listen_scope(KAUTH_SCOPE_NETWORK, cb); return (EPERM); int cb(cred, op, ctx) { . . . list of network scope listeners return (KAUTH_RESULT_ALLOW); [ lists for other scope listeners ] }

  19. secmodel A security model (secmodel) is a small framework for managing a set of related kauth listeners. Fundamentally, it presents a template pattern: static kauth_listener_t l_system, l_network, . . .; void secmodel_foo_start(void) { l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, secmodel_foo_system_cb, NULL); l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, secmodel_foo_network_cb, NULL); . . . } void secmodel_foo_stop(void) { kauth_unlisten_scope(l_system); kauth_unlisten_scope(l_network); . . . }

  20. secmodel_sandbox design The sandbox module registers listeners for all kauth scopes. application libsandbox sandbox(script) /dev/sandbox user space kernel space proc secmodel_sandbox module cred kauth_listen_scope(KAUTH_SCOPE_NETWORK) uid kauth_listen_scope(KAUTH_SCOPE_SYSTEM) groups . . . specificdata

  21. secmodel_sandbox design Applications link to libsandbox. Calls to sandbox() issue an ioctl to /dev/sandbox , specifying the policy script. application ioctl(script) libsandbox sandbox(script) /dev/sandbox user space kernel space proc secmodel_sandbox module cred uid groups specificdata

Recommend

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

1.15k views • 79 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility & Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

417 views • 40 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2. Confirm that your

540 views • 36 slides
Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on& &&&&&&&&&&&&&&&&Timothy&Vidas,&Nicolas&Chris?n&

526 views • 28 slides
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

646 views • 52 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29,

PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29,

PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29, 2015 ADVANCING EXCELLENCE THROUGH INNOVATION AND COLLABORATION Pinellas County Florida Census Estimates 2013 930,109 total population 159,979

329 views • 13 slides
SA SANDBOX Megan Fillion, Gabriel Guzman, and Dimitri Leggas mlf2179, grg2117, and ddl2133

SA SANDBOX Megan Fillion, Gabriel Guzman, and Dimitri Leggas mlf2179, grg2117, and ddl2133

SA SANDBOX Megan Fillion, Gabriel Guzman, and Dimitri Leggas mlf2179, grg2117, and ddl2133 Overview o Motivation o Improve our understanding of digital systems o Simple HDL to facilitate our/others learning o A challenging PLT project o Goals

345 views • 11 slides
The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011

The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011

Dionysus Blazakis The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011 Where to find stuff https://github.com/dionthegod/XNUSandbox http://www.semantiscope.com/research/ BHDC2011/BHDC2011-Paper.pdf

1.21k views • 69 slides
AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC

AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC

AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC Davis David Goltzsche, 1 Manuel Nieke, 1 Thomas Knauth, 2 and Rdiger Kapitza 1 goltzsche@ibr.cs.tu-bs.de @d_goltzsche 1 TU Braunschweig, Germany 2

502 views • 37 slides
Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory

Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory

Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc. Presented by: Gilmore R.

497 views • 39 slides
Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki

170 views • 13 slides
Financial conduct authority sandbox Lara Kaplan Lara Kaplan Background Financial Services

Financial conduct authority sandbox Lara Kaplan Lara Kaplan Background Financial Services

Financial conduct authority sandbox Lara Kaplan Lara Kaplan Background Financial Services Regulatory Lawyer qualified in England & Wales FinTech and Payments Group, Paul Hastings in Washington DC* Finance & Innovation

159 views • 12 slides
Game Genres INTRODUCTION TO GAME GENRES: SIMULATION, SPORT, FIGHTING, CASUAL, SANDBOX,

Game Genres INTRODUCTION TO GAME GENRES: SIMULATION, SPORT, FIGHTING, CASUAL, SANDBOX,

Game Genres INTRODUCTION TO GAME GENRES: SIMULATION, SPORT, FIGHTING, CASUAL, SANDBOX, EDUCATIONAL, PUZZLE, ONLINE, 1 Simulations Simulations require a substantial amount of depth. Often, a great deal of research is required in

2.01k views • 45 slides

More recommend