Sanboxing Technology

Sandbox technology,a suitable approach for

secure distributed systems

MAIN CONTENTS

• What: Sandbox security• Where: General-purpose Grid computing• Why: security with lightweight overhead, …• How: see those in next parts!!!

2/36

TABLE OF CONTENT

• Introduction• Sandbox idea• Other concepts

• Usages• Features• Interception• Interception Levels

• Access Control List• Chroot mechanism

• Applications• Evaluating• Time line• Conclusion

3/36

MOTIVATION

• large scale systems need to be high performance• Distributed system are normally untrusted

environments• Establishing secure processing environments is

very time consuming (common)• We have found a suitable technology for

lightweight secure environemnts in large scale systems

4/36

`

1990 2000 2010

Standalone Antivirus

Security suitsSandboxes

INTRODUCTION TO SANDBOX

• By wikipedia:• In computer security, a sandbox is a security mechanism

for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users.”

• By common:• Process virtual machine

• By my survey:• A jail that can override and modify the behaviour of

system calls without change in real system

5/36

PURPOSES & SPECIFICS

• Lightweight• High performance• Virtualization• Role based• Special ACL• Control and management resource• Restriction in resources• Better than complex authentications• Self defensive

6/36

7/36

THE SANDBOX IDEAI D E A

O T H E R C O N C E P T S

OTHER MEANS

• Sandbox games• Google sandbox rating• Sandboxes have many applications in computer

science!!!• The sandbox tool aims to fulfill the need for

application security on a distributed environment

8/36

9

USAGES

SANDBOX IN X COMPUTINGSANDBOX AS VIRTUA

L MACHINESANDBOX AS MONITORING TOOLS

(EVEN) SANDBOX AS IDS ; )

Virtualization

IDS

Mobile computi

ng

Anti viruses

Cloud/Grid computing

Rule base management

systems

Full virtualizatio

n

Resource Management

systems

Honey pots

USAGE OF SANDBOXES

10/36

Network monitoring

tools, Network traffic control

Sandboxapproac

h

FVM

NormanAvast

Mobile codes

EVMGridboxDGMonitorJanus

ChromiumJava sandbox

FVM

BlueBox

11/36

FEATURESI N T E R C E P T I O N

A C C E S S C O N T R O L L I S TA P P L I C A T I O N S A N D B O X E S

INTERCEPTION

• Base of sandboxes• Process interception• system call interception

• Os:• Unix: ptrace OR…• Windows: dll injection

• Monitoring resources and controlling them

12/36

USER LEVEL SANDBOX

• Trace system calls• Using ptrace in Unix• Using injection to address space of processes in

windows.• For example:• Gridbox• Chromium sandbox project• Chroot• Janus

13/36

KERNEL LEVEL SANDBOX

• Create a driver or kernel modules for a specific platform• Low level programming• Dirty programming!!!• Non-hacked (than to user mode)• For example

• BlueBox• EVM• Condor

14/36

ACCESS CONTROL LIST

• Assign a task, role, system call• Change system call with real system call• Example:• Gridbox:• Define acl.c + syscalls.c for resource management

15/36

APPLICATION SANDBOXES

• Move desktop app to web app• Protecting with lightweight , secure, flexible

approach (WHERE???)• Extension or separated program• Sandboxie• A part of Applets• SilverLight

• Lost real performance

16/36

17

PRESENT TWO PROF SANDBOX

G R I D B OXC H R O M I U M S A N D B OX P R O J E C T

GRIDBOX

• started at 2005• Lightweight code files & executable file• Heterogeneous on Unix base system• User mode interception• Used in ProGrid, SETI@• Using ACL• Multi level security

18/36

MULTI LEVEL SECURITY

19/36

# Network access: Allow connections to trusted machinesrule connect allow 200.18.98.120:80rule connect allow 200.18.98.132:80# Disallow any other connectionrule connect deny *:*# Serving connections: Allow to bind to port 8000 of interface 200.18.98.120rule bind allow 200.18.98.120:8000# Disallow any other port bindingrule bind deny *

# Program execution`# Allow execution of /bin/catrule system allow /bin/cat# Disallow any other program executionrule system deny *

#/usr/local/grid/sandbox.sh /usr/local/grid/applications/test_suite...GRIDBOX: fopen (input): DENIEDGRIDBOX: connect (200.18.98.120:80): DENIEDGRIDBOX: nice(10): DENIEDGRIDBOX: connect (200.18.98.120:22): DENIEDGRIDBOX: system (/bin/rm): DENIEDGRIDBOX: fopen (/etc/passwd): DENIED

# Node profile# Limit the CPU use to 5 minuteslimit CPU_TIME 600# Limit maximum file sizelimit FILE_SIZE 1000000# Limit maximum process stacklimit STACK 20000

GRIDBOX FUNCTIONALITIES

20/36

21

CHROMIUM SANDBOX PROJECT

• Subset of Chromium open source project• Independent to Google codes • Cross-platform• Restriction in:• process• I/O• Network

22/36

EVALUATETA B L E O F A L L S U RV E Y E D S A N D B OX E S

T I M E - L I N E

COMPRESSION

• Sandbox is a wide concept• It is based of interception

23/36

SOME SURVEYED SANDBOXES Sandbox

nameGoal Implantation

LevelHeterogo

nousCompatible

OSApplication

DomainProgram

Chroot OS virtualization

User mode No Most Unix-like OS

Secure policy Chroot

Gridbox Improve security in grid

User mode Y/N All Unix-like OS

Grid computing, Pro Grid,SETI@

ACL, customize confige file,

BlueBox N IDS Kernel mode No Linux Network IDS, Host base real –time IDS, webservers

Host base driven

DGMonitor Virtualized resources

User mode Yes Linux,windows,Unix

Entropia, DCGrid,Xterm web

Portable,

Entropia VM Virtualization Kernle mode No Windows NT or higher

Grid systems, image –processing

Combine VM approach with Sandbox approach, File Virtualzaiton, Thread mng,Job manager

Janus Monitoring User mode No Solaris 2.4 Ptrace/proc mechanism

Chromium Sandboxing User mode Yes Unix-like, windows

Web application

Free BSD jail Security in Server farms

Kernel/user mode No Only BSD Internet security

File system isolation,Disk quotas,Network isolation

24/36

25

TIME-LINE

• Progress sandboxes

1980

Gridbox

Janus

Systrace

Avast

Chroot

1985 1990 1995 2000 2005 2010

chromium

FreeBSD Jail

Condor

26/36

RESULTR E S U LT

C H A L L E N G E SD I S C U S S I O N

A GOOD SANDBOX PROPERTIES:

• Interception without restriction on resources• A secure box for virtual processes• Multi part restriction:• Memory restriction:• Restriction space for Processes, threads• process management• monitoring network protocols

27/36

CHALLENGES

• Implement level• Goal • Cross-platform• Fine-grained level

28/36

29/36

CONCLUSION

TODAY WE NEED TO:

1. A cross platform sandbox2. High performance3. Support kernel and user mode sandboxing4. Dynamic ACL (Google ACL)s5. Full virtualization6. Limited local resource and network resource7. Open source

30/36

31/36

REFERENCES

32

ALL REFERENCES

• S Loureiro, R Molva, Y Roudier 2000 “Mobile Code Security” Proceedings of ISYPAR• AR.Butt, S.Adabala, NH.Kapadia, RJ.Figueiredo and J.A.B.Fortes “Grid-computing portals and security

issues” Journal of Parallel and Distributed Computing, October 2003• H.Chen, P.Liu, R.Chen, B.Zang, H.Chen, P.Liu, R.Chen ” VMM-based Process Shepherding” Parallel

Processing Institute Technical Report Number: FDUPPITR-2007-08002 August 2007• I.Goldberg, D.Wagner, R.Thomas, EA.Brewer “A Secure Environment for Untrusted Helper

Applications Conning the Wily Hacker” Sixth USENIX UNIX security symposium, July 1996• By Wikipedia http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29t 2010-07-14• J. Lange, P. Dinda, Transparent Network Services via a Virtual Traffic Layer for Virtual Machines,

Proceedings of the 16th IEEE International Symposium on High Performance Distributed Computing (HPDC 2007), June, 2007

• CHARI, S. N., AND CHENG, P.-C. BlueBoX: A Policy-driven, Host-Based Intrusion Detection System. In Proceedings of the 9th Symposium on Network and Distributed Systems Security (NDSS 2002) (2002).

• T.Khatiwala, R.Swaminathan, V. N.Venkatakrishnan “Data Sandboxing: A Technique for Enforcing Confidentiality Policies”, Proceedings of the 22nd Annual  Computer Security Applications Conference, p.223-234, December 11-15, 2006

• Frey, J. Tannenbaum, T. Livny, M. Foster, I. Tuecke, S. “Condor-G: A Computation Management Agent for Multi-Institutional Grids” cluster computing, 2002, VOL 5; NUMBER 3, pages 237-246

• P. Cicotti, M.Taufer and A. Chieny “DGMonitor: A Performance Monitoring Tool for Sandbox-Based Desktop Grid Platforms” journal of supercomputing, 2005, VOL 34; NUMBER 2, pages 113-133

• D.Wagner “A Secure Environment for Untrusted Helper Applications” http://searchsystemschannel.techtarget.com/generic/0,295582,sid99_gci1379901,00.html

33

…

• http://www.webpronews.com/insiderreports/2004/05/06/google-sandbox-effect-revealed• Evgueni Dodonov , Joelle Quaini Sousa , Hélio Crestana Guardia, GridBox: securing hosts from malicious and greedy

applications, Proceedings of the 2nd workshop on Middleware for grid computing, p.17-22, October 18-22, 2004, Toronto, Ontario, Canada

• S.Santhanam, P.Elango, A.Arpaci-Dusseau ,M.Livny "Deploying virtual machines as sandboxes for the grid" Proceedings of the 2nd conference on Real, Large Distributed Systems, 2005

• Jiang, X. Wang, X. “"Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots” lecture notes in computer science , 2007

• Malkhi, D. Reiter, M. K “Secure Execution of Java Applets Using a Remote Playground” IEEE transactions on software engineering, 2000

• M.Khambatti, P.Dasgupta, KD.Ryu “A Role-Based Trust Model for Peer-to-Peer Communities and Dynamic• Coalitions” In IWIA '04: Proceedings of the Second IEEE• International Information Assurance Workshop, page 141, Washington, DC, USA, 2004• The Technion DSL Lab, Israel “Condor Local File System Sandbox” high level design document • B Calder, AA Chien, J Wang, D Yang “,The Entropia Virtual Machine for Desktop Grids” Proceedings of the 1st ACM/USENIX

international conference on Virtual execution environments, 2005• David A. Wagner. Janus: an Approach for Confinement of Untrusted Applications. Technical Report CSD-99-1056, 12,

1999. 2, 8• N.Provos “Improving host security with system call policies” Proceedings of the 12th conference on USENIX Security

Symposium, 2003• sandboxie http://www.sandboxie.com/• Chromium project

http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fcode.google.com%2Fchromium%2F&ei=Qs49TI_NJ5i8jAerqZT5Aw&usg=AFQjCNFFIW41N_oxaGVfvEf4kTPmYqUfWg&sig2=Af2KdebPFzPOcyA-wSUAVQ