Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sandboxing Mobile Code Execution Environments Anup K. Ghosh, Ph.D. DARPA Joint Intrusion Detection and Information Assurance Principal.

Similar presentations

Presentation on theme: "Sandboxing Mobile Code Execution Environments Anup K. Ghosh, Ph.D. DARPA Joint Intrusion Detection and Information Assurance Principal."— Presentation transcript:

1 Sandboxing Mobile Code Execution Environments Anup K. Ghosh, Ph.D. DARPA Joint Intrusion Detection and Information Assurance Principal Investigator Meeting August 2-6, 1999 Phoenix, AZ

2 The Problem We are Addressing: Untrusted Code zProtecting computing host platforms from untrusted mobile code yJava applets yActiveX controls yJavaScripts yVBscripts/macros ymultimedia files

3 Properties of Mobile Code zComes in a variety of forms zOften runs unannounced and unbeknownst to the user zRuns with the privilege of the user zDistributed in executable form zRun in multiple threads zCan launch other programs

4 Mobile Code Trojans: Do you know what you are running? zDemo of hostile Java applet zEd Felten of Princeton University: Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.

5 Technical Objectives zPrevent untrusted mobile code from: ywriting to file system yreading from file system yexecuting programs ynetwork access except those on permitted ports yreading/writing to/from system devices zDetect/prevent previously unseen mobile code attacks

6 Mobile Code Security Originating site Host site compilersource code exec Protection Means - type safety - annotation - PCC - static checks kernel boundary controller code xform interpreter Protection Means - firewall/scanning - wrapping/SFI - VM/RTS extens - dynamic checks - DTE/sandboxing

7 Observations on Protection Mechanisms zLanguage-based yLimited to a particular language yOne policy does not fit all yStill need dynamic checks zCode Wrapping yaddress containment only ybypassable ydifficult to wrap all code z Firewalls/Scanners ybinary policies ynovel code defeats scanners z Interpreter yParticular to code yDifferent models for different code z Kernel protection yrequires OS extensions ypolicy specification

8 Sandboxing Approaches and Pitfalls zWrap API calls for mobile code threads ycode can make direct calls to kernel ycode can alter memory of other threads zWrap kernel calls for large applications ypolicies for browsers are necessarily lax and problematic for preventing malicious behavior from mobile code.

9 Technical Approach zSpecify security-policy in code/platform- independent language zSeparate policy specification from policy enforcement zCompile policies to specific platform zAddress policy problems for mobile code host platforms zImplement kernel extensions for WinNT/Solaris

10 Applying Approach to the Windows NT Platform zWrap access to system resources in kernel (ring 0) --- API wrapping is bypassable yfile system, registry, network, devices zUse kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources

11 WinNT Architecture

12 Sandboxing Win32 Processes

13 Sandboxing on Solaris

14 Developing Policies for Mobile Code Hosts zMost mobile code hosts are large multi- use applications: yWeb browsers, mailers, desktop automation (word processors, spreadsheets, etc.) yThese applications necessarily need to read and write to file system, add new modules, read and write to network resources. zProblem: how to develop a useful policy in light of these multi-use requirements

15 Potential Solutions zWrap mobile code threads yProblem: mobile code can corrupt mobile code host memory zWrap entire application with restrictive policy yProblem: makes desktop applications useless zNote when application executes mobile code and implement strict policy then

16 Technical Hurdles zDeveloping expressive, robust, code/platform-independent, and simple policy specification language zPerformance penalties with kernel wrapping approach zDetermining when mobile code is executing zAddressing DoS/resource consumption attacks

17 Quantitative Metrics zBenchmark process performance with and without kernel wrapping zEvaluate sandbox approach against malicious mobile code: yhostile Java applets yhostile ActiveX controls yJavaScripts that use controls zCompare against other sandboxing approaches

18 Expected Achievements zDevelop and release kernel wrapping libraries for Windows NT zDevelop and release sandbox for mobile code platforms zEvaluate approach against malicious mobile code zOvercome hurdles in state-of-the-art sandboxing

19 Task Schedule zYear 1 yDevelop policy specification language yBuild kernel level filter drivers for NT yDevelop sandbox monitor & implement policies yBenchmark Windows NT prototype against attacks yBenchmark performance penalty of kernel- level wrapping

20 Task Schedule (contd) zYear 2 yDevelop functions for processing Solaris callbacks using the /proc interface yDevelop sandbox shell yCreate an audit monitor for logging system calls yAdapt sandbox monitor for Solaris yBenchmark prototype

21 Technology Transfer zRelease kernel-level wrapping libraries to the public domain zSupport full observability and controllability of Win32 processes zSupport intrusion detection initiatives on Win32 platform zRelease sandboxing technology

22 Questions? zContact info:

Download ppt "Sandboxing Mobile Code Execution Environments Anup K. Ghosh, Ph.D. DARPA Joint Intrusion Detection and Information Assurance Principal."

Similar presentations

Ads by Google