8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
1/22
Sandboxing Mobile Code
Execution Environments
Anup K. Ghosh, Ph.D.
DARPA Joint Intrusion Detection and
Information Assurance Principal Investigator Meeting
August 2-6, 1999
Phoenix, AZ
www.rstcorp.com
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
2/22
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
3/22
Properties of Mobile Code
Comes in a variety of forms
Often runs unannounced and
unbeknownst to the userRuns with the privilege of the user
Distributed in executable form
Run in multiple threads
Can launch other programs
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
4/22
Mobile Code Trojans:
Do you know what you are
running?Demo of hostile Java applet
Ed Felten of Princeton University:
Given the choice of safer systems or dancingpigs, the average user will always opt fordancing pigs.
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
5/22
Technical Objectives
Prevent untrusted mobile code from:
writing to file system
reading from file systemexecuting programs
network access except those on permitted
portsreading/writing to/from system devices
Detect/prevent previously unseen mobile
code attacks
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
6/22
Mobile Code Security
Originating site
Host site
compilersourcecode code
execProtection Means
- type safety
- annotation
- PCC
- static checks
kernel
boundary controller
code xform
interpreter
Protection Means
- firewall/scanning
- wrapping/SFI
- VM/RTS extens
- dynamic checks
- DTE/sandboxing
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
7/22
Observations on Protection
Mechanisms
Language-based
Limited to a particularlanguage
One policy does not fit all
Still need dynamic checks
Code Wrapping
address containment onlybypassable
difficult to wrap all code
Firewalls/Scanners
binary policies
novel code defeatsscanners
Interpreter
Particular to code
Different models fordifferent code
Kernel protection
requires OS
extensions
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
8/22
Sandboxing Approaches
and Pitfalls
Wrap API calls for mobile code threads
code can make direct calls to kernel
code can alter memory of other threads
Wrap kernel calls for large applications
policies for browsers are necessarily lax and
problematic for preventing malicious behaviorfrom mobile code.
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
9/22
Technical Approach
Specify security-policy in code/platform-independent language
Separate policy specification from policyenforcement
Compile policies to specific platform
Address policy problems for mobile codehost platforms
Implement kernel extensions for
WinNT/Solaris
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
10/22
Applying Approach to the
Windows NT Platform
Wrap access to system resources in kernel(ring 0) --- API wrapping is bypassable
file system, registry, network, devicesUse kernel extensions to WinNT known as
filter drivers (VxD programming) to hook
all access to system resources
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
11/22
WinNT Architecture
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
12/22
Sandboxing Win32
Processes
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
13/22
Sandboxing on Solaris
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
14/22
Developing Policies for
Mobile Code Hosts
Most mobile code hosts are large multi-use applications:
Web browsers, mailers, desktop automation(word processors, spreadsheets, etc.)
These applications necessarily need to readand write to file system, add new modules,read and write to network resources.
Problem: how to develop a useful policy inlight of these multi-use requirements
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
15/22
Potential Solutions
Wrap mobile code threads
Problem: mobile code can corrupt mobile
code host memoryWrap entire application with restrictive
policy
Problem: makes desktop applications uselessNote when application executes mobile
code and implement strict policy then
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
16/22
Technical Hurdles
Developing expressive, robust,code/platform-independent, and simple
policy specification languagePerformance penalties with kernel
wrapping approach
Determining when mobile code isexecuting
Addressing DoS/resource consumption
attacks
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
17/22
Quantitative Metrics
Benchmark process performance with andwithout kernel wrapping
Evaluate sandbox approach againstmalicious mobile code:
hostile Java applets
hostile ActiveX controlsJavaScripts that use controls
Compare against other sandboxing approaches
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
18/22
Expected Achievements
Develop and release kernel wrappinglibraries for Windows NT
Develop and release sandbox for mobilecode platforms
Evaluate approach against malicious
mobile codeOvercome hurdles in state-of-the-art
sandboxing
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
19/22
Task Schedule
Year 1
Develop policy specification language
Build kernel level filter drivers for NTDevelop sandbox monitor & implement
policies
Benchmark Windows NT prototype againstattacks
Benchmark performance penalty of kernel-level wrapping
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
20/22
Task Schedule (contd)
Year 2
Develop functions for processing Solaris
callbacks using the /proc interfaceDevelop sandbox shell
Create an audit monitor for logging systemcalls
Adapt sandbox monitor for Solaris
Benchmark prototype
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
21/22
Technology Transfer
Release kernel-level wrapping libraries tothe public domain
Support full observability andcontrollability of Win32 processes
Support intrusion detection initiatives on
Win32 platformRelease sandboxing technology
8/11/2019 ITS 2 RST Sandbox DARPA PI Phoenix Jul99 (1)
22/22
Questions?
Contact info:
www.rstcorp.comwww.rstcorp.com/papers/
www.rstcorp.com/~anup/
www.rstcorp.com/books/ecs/