Sandbox technology, a suitable approach for secure distributed systems By: Arash Karami Supervisor : Hadi Salimi Distributed Systems Course Seminar

Slides:



Advertisements
Similar presentations
Shared-Memory Model and Threads Intel Software College Introduction to Parallel Programming – Part 2.
Advertisements

Computer Networks TCP/IP Protocol Suite.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
Pricing for Utility-driven Resource Management and Allocation in Clusters Chee Shin Yeo and Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS)
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Distributed Systems Architectures
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Processes and Operating Systems
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Remote Educational Programming Of Robots (REPOR) Tord Fauskanger Aurelie Aurilla Bechina Arntzen Dag Samuelsen Buskerud University College.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
CSF4 Meta-Scheduler Tutorial 1st PRAGMA Institute Zhaohui Ding or
11 Application of CSF4 in Avian Flu Grid: Meta-scheduler CSF4. Lab of Grid Computing and Network Security Jilin University, Changchun, China Hongliang.
UNITED NATIONS Shipment Details Report – January 2006.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
1. 2 Objectives Become familiar with the purpose and features of Epsilen Learn to navigate the Epsilen environment Develop a professional ePortfolio on.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
Content Overview Virtual Disk Port to Intel platform
Seungmi Choi PlanetLab - Overview, History, and Future Directions - Using PlanetLab for Network Research: Myths, Realities, and Best Practices.
EU market situation for eggs and poultry Management Committee 20 October 2011.
EU Market Situation for Eggs and Poultry Management Committee 21 June 2012.
INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.
Mobile Application Development Fall COP 4655 U1 T/R 5:00 - 6:15pm – ECS 135 Steve Luis lecture1.
© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
CS 6143 COMPUTER ARCHITECTURE II SPRING 2014 ACM Principles and Practice of Parallel Programming, PPoPP, 2006 Panel Presentations Parallel Processing is.
Chapter 11: The X Window System Guide To UNIX Using Linux Third Edition.
IP Multicast Information management 2 Groep T Leuven – Information department 2/14 Agenda •Why IP Multicast ? •Multicast fundamentals •Intradomain.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
Operating Systems Operating Systems - Winter 2011 Dr. Melanie Rieback Design and Implementation.
Operating Systems Operating Systems - Winter 2012 Dr. Melanie Rieback Design and Implementation.
VOORBLAD.
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
OPERATING SYSTEM SUPPORT
31242/32549 Advanced Internet Programming Advanced Java Programming
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Introduction to Computer Administration Introduction.
Global Analysis and Distributed Systems Software Architecture Lecture # 5-6.
KAIST Computer Architecture Lab. The Effect of Multi-core on HPC Applications in Virtualized Systems Jaeung Han¹, Jeongseob Ahn¹, Changdae Kim¹, Youngjin.
Macromedia Dreamweaver MX 2004 – Design Professional Dreamweaver GETTING STARTED WITH.
Analyzing Genes and Genomes
Prof.ir. Klaas H.J. Robers, 14 July Graduation: a process organised by YOU.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Clock will move after 1 minute
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Energy Generation in Mitochondria and Chlorplasts
Murach’s OS/390 and z/OS JCLChapter 16, Slide 1 © 2002, Mike Murach & Associates, Inc.
Introduction Peter Dolog dolog [at] cs [dot] aau [dot] dk Intelligent Web and Information Systems September 9, 2010.
From Model-based to Model-driven Design of User Interfaces.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
The Entropia Virtual Machine for Desktop Grids Brad Calder, Andrew A. Chien, Ju Wang, Don Yang – VEE-2005 Raju Kumar CS598C: Virtual Machines.
Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.
Presentation transcript:

Sandbox technology, a suitable approach for secure distributed systems By: Arash Karami Supervisor : Hadi Salimi Distributed Systems Course Seminar Mazandaran University of Science and Technology IT departmentJuly 2010

Main Contents What: Sandbox security Where: General-purpose Grid computing Why: security with lightweight overhead, … How: see those in next parts!!! 2/36 Sandbox technology present by Arash Karami

Table of Content Introduction Sandbox idea Other concepts Usages Features Interception Interception Levels Access Control List Chroot mechanism Applications Evaluating Time line Conclusion 3/36 Sandbox technology present by Arash Karami

Motivation Introduction My purpose Introduction 4/36 Sandbox technology present by Arash Karami

Motivation large scale systems need to be high performance Distributed system are normally untrusted environments Establishing secure processing environments is very time consuming (common) We have found a suitable technology for lightweight secure environemnts in large scale systems ` Standalone Antivirus Security suits Sandboxes 5/36 Sandbox technology present by Arash Karami

Introduction to sandbox By wikipedia: In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. By common: Process virtual machine By my survey: A jail that can override and modify the behaviour of system calls without change in real system 6/36 Sandbox technology present by Arash Karami

Purposes & specifics Lightweight High performance Virtualization Role based Special ACL Control and management resource Restriction in resources Better than complex authentications Self defensive 7/36 Sandbox technology present by Arash Karami

Idea Other concepts The sandbox idea 8/36 Sandbox technology present by Arash Karami

Other means Sandbox games Google sandbox rating Sandboxes have many applications in computer science!!! The sandbox tool aims to fulfill the need for application security on a distributed environment 9/36 Sandbox technology present by Arash Karami

Sandbox in X computing Sandbox as virtual machine Sandbox as monitoring tools (EVEN) Sandbox as IDS ;) usages 10 Sandbox technology present by Arash Karami

Virtualization IDS Mobile computing Anti viruses Cloud/Grid computing Rule base management systems Full virtualization Resource Management systems Honey pots Usage of sandboxes Network monitoring tools, Network traffic control Sandbox approach Sandbox approach FVM Norman Avast Mobile codes EVM Gridbox DGMonitor Janus Chromium Java sandbox FVM BlueBox 11/36 Sandbox technology present by Arash Karami

Interception Access Control List Application sandboxes Features 12/36 Sandbox technology present by Arash Karami

Interception Base of sandboxes Process interception system call interception Os: Unix: ptrace OR… Windows: dll injection Monitoring resources and controlling them 13/36 Sandbox technology present by Arash Karami

User level sandbox Trace system calls Using ptrace in Unix Using injection to address space of processes in windows. For example: Gridbox Chromium sandbox project Chroot Janus 14/36 Sandbox technology present by Arash Karami

Kernel level sandbox Create a driver or kernel modules for a specific platform Low level programming Dirty programming!!! Non-hacked (than to user mode) For example BlueBox EVM Condor 15/36 Sandbox technology present by Arash Karami

Access Control List Assign a task, role, system call Change system call with real system call Example: Gridbox: Define acl.c + syscalls.c for resource management 16/36 Sandbox technology present by Arash Karami

Application sandboxes Move desktop app to web app Protecting with lightweight, secure, flexible approach (WHERE???) Extension or separated program Sandboxie A part of Applets SilverLight Lost real performance 17/36 Sandbox technology present by Arash Karami

GridBox Chromium sandbox project Present two prof sandbox 18 Sandbox technology present by Arash Karami

Gridbox started at 2005 Lightweight code files & executable file Heterogeneous on Unix base system User mode interception Used in ProGrid, Using ACL Multi level security 19/36 Sandbox technology present by Arash Karami

Multi level security # Network access: Allow connections to trusted machines rule connect allow :80 rule connect allow :80 # Disallow any other connection rule connect deny *:* # Serving connections: Allow to bind to port 8000 of interface rule bind allow :8000 # Disallow any other port binding rule bind deny * # Program execution` # Allow execution of /bin/cat rule system allow /bin/cat # Disallow any other program execution rule system deny * #/usr/local/grid/sandbox.sh /usr/local/grid/applications/test_suite...GRIDBOX: fopen (input): DENIED GRIDBOX: connect ( :80): DENIED GRIDBOX: nice(10): DENIED GRIDBOX: connect ( :22): DENIED GRIDBOX: system (/bin/rm): DENIED GRIDBOX: fopen (/etc/passwd): DENIED # Node profile # Limit the CPU use to 5 minutes limit CPU_TIME 600 # Limit maximum file size limit FILE_SIZE # Limit maximum process stack limit STACK /36 Sandbox technology present by Arash Karami

GridBox Functionalities 21/36 Sandbox technology present by Arash Karami

Chromium Sandbox project Subset of Chromium open source project Independent to Google codes Cross-platform Restriction in: process I/O Network 22 Sandbox technology present by Arash Karami

Table of all surveyed sandboxes Time-line Evaluate 23/36 Sandbox technology present by Arash Karami

Compression Sandbox is a wide concept It is based of interception 24/36 Sandbox technology present by Arash Karami

Some surveyed sandboxes 25/36 Sandbox name GoalImplantation Level Heterogon ous Compatible OS Application Domain Program ChrootOS virtualization User modeNoMost Unix-like OS Secure policyChroot GridboxImprove security in grid User modeY/NAll Unix-like OSGrid computing, Pro ACL, customize confige file, BlueBoxN IDSKernel modeNoLinuxNetwork IDS, Host base real – time IDS, webservers Host base driven DGMonitorVirtualized resources User modeYesLinux,windows, Unix Entropia, DCGrid,Xterm web Portable, Entropia VMVirtualizationKernle modeNoWindows NT or higher Grid systems, image – processing Combine VM approach with Sandbox approach, File Virtualzaiton, Thread mng,Job manager JanusMonitoringUser modeNoSolaris 2.4Ptrace/proc mechanism ChromiumSandboxingUser modeYesUnix-like, windows Web application Free BSD jailSecurity in Server farms Kernel/user modeNoOnly BSDInternet security File system isolation,Disk quotas,Network isolation

Time-Line Progress sandboxes 1980 Gridbox Janus Systrace Avast Chroot chromium FreeBSD Jail Condor 26 Sandbox technology present by Arash Karami

Result challenges discussion Result 27/36 Sandbox technology present by Arash Karami

A good sandbox properties: Interception without restriction on resources A secure box for virtual processes Multi part restriction: Memory restriction: Restriction space for Processes, threads process management monitoring network protocols 28/36 Sandbox technology present by Arash Karami

challenges Implement level Goal Cross-platform Fine-grained level 29/36 Sandbox technology present by Arash Karami

Conclusion 30/36 Sandbox technology present by Arash Karami

Today we need to: 1. A cross platform sandbox 2. High performance 3. Support kernel and user mode sandboxing 4. Dynamic ACL (Google ACL)s 5. Full virtualization 6. Limited local resource and network resource 7. Open source 31/36 Sandbox technology present by Arash Karami

Discussion 32/36 Sandbox technology present by Arash Karami

References 33/36 Sandbox technology present by Arash Karami

All references Sandbox technology present by Arash Karami 34 S Loureiro, R Molva, Y Roudier 2000 Mobile Code Security Proceedings of ISYPAR AR.Butt, S.Adabala, NH.Kapadia, RJ.Figueiredo and J.A.B.Fortes Grid-computing portals and security issues Journal of Parallel and Distributed Computing, October 2003 H.Chen, P.Liu, R.Chen, B.Zang, H.Chen, P.Liu, R.Chen VMM-based Process Shepherding Parallel Processing Institute Technical Report Number: FDUPPITR August 2007 I.Goldberg, D.Wagner, R.Thomas, EA.Brewer A Secure Environment for Untrusted Helper Applications Conning the Wily Hacker Sixth USENIX UNIX security symposium, July 1996 By Wikipedia http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29t J. Lange, P. Dinda, Transparent Network Services via a Virtual Traffic Layer for Virtual Machines, Proceedings of the 16th IEEE International Symposium on High Performance Distributed Computing (HPDC 2007), June, 2007 CHARI, S. N., AND CHENG, P.-C. BlueBoX: A Policy-driven, Host-Based Intrusion Detection System. In Proceedings of the 9th Symposium on Network and Distributed Systems Security (NDSS 2002) (2002). T.Khatiwala, R.Swaminathan, V. N.Venkatakrishnan Data Sandboxing: A Technique for Enforcing Confidentiality Policies, Proceedings of the 22nd Annual Computer Security Applications Conference, p , December 11-15, 2006 Frey, J. Tannenbaum, T. Livny, M. Foster, I. Tuecke, S. Condor-G: A Computation Management Agent for Multi-Institutional Grids cluster computing, 2002, VOL 5; NUMBER 3, pages P. Cicotti, M.Taufer and A. Chieny DGMonitor: A Performance Monitoring Tool for Sandbox-Based Desktop Grid Platforms journal of supercomputing, 2005, VOL 34; NUMBER 2, pages D.Wagner A Secure Environment for Untrusted Helper Applications

… Sandbox technology present by Arash Karami 35 Evgueni Dodonov, Joelle Quaini Sousa, Hélio Crestana Guardia, GridBox: securing hosts from malicious and greedy applications, Proceedings of the 2nd workshop on Middleware for grid computing, p.17-22, October 18-22, 2004, Toronto, Ontario, Canada S.Santhanam, P.Elango, A.Arpaci-Dusseau,M.Livny "Deploying virtual machines as sandboxes for the grid" Proceedings of the 2nd conference on Real, Large Distributed Systems, 2005 Jiang, X. Wang, X. "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots lecture notes in computer science, 2007 Malkhi, D. Reiter, M. K Secure Execution of Java Applets Using a Remote Playground IEEE transactions on software engineering, 2000 M.Khambatti, P.Dasgupta, KD.Ryu A Role-Based Trust Model for Peer-to-Peer Communities and Dynamic Coalitions In IWIA '04: Proceedings of the Second IEEE International Information Assurance Workshop, page 141, Washington, DC, USA, 2004 The Technion DSL Lab, Israel Condor Local File System Sandbox high level design document B Calder, AA Chien, J Wang, D Yang,The Entropia Virtual Machine for Desktop Grids Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments, 2005 David A. Wagner. Janus: an Approach for Confinement of Untrusted Applications. Technical Report CSD , 12, , 8 N.Provos Improving host security with system call policies Proceedings of the 12th conference on USENIX Security Symposium, 2003 sandboxie Chromium project ei=Qs49TI_NJ5i8jAerqZT5Aw&usg=AFQjCNFFIW41N_oxaGVfvEf4kTPmYqUfWg&sig2=Af2KdebPFzPOcyA-wSUAVQ ei=Qs49TI_NJ5i8jAerqZT5Aw&usg=AFQjCNFFIW41N_oxaGVfvEf4kTPmYqUfWg&sig2=Af2KdebPFzPOcyA-wSUAVQ

Sandbox technology present by Arash Karami 36 ?

Sandbox technology present by Arash Karami 37

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.