Retaining sandbox containment despite bugs in privileged memory-safe code

Justin Cappos, Armon Dadgar, Jeff Rasley, Justin Samuel, Ivan Beschastnikh, Cosmin Barsan, Arvind Krishnamurthy, Thomas Anderson

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, aws in the standard library often allow an attacker to escape the security protections of the sandbox.In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java's standard libraries and show that most of these bugs would likely be contained in our sandbox.

    Original languageEnglish (US)
    Title of host publicationCCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
    Pages212-223
    Number of pages12
    DOIs
    StatePublished - 2010
    Event17th ACM Conference on Computer and Communications Security, CCS'10 - Chicago, IL, United States
    Duration: Oct 4 2010Oct 8 2010

    Other

    Other17th ACM Conference on Computer and Communications Security, CCS'10
    CountryUnited States
    CityChicago, IL
    Period10/4/1010/8/10

    Fingerprint

    Data storage equipment
    Telecommunication networks
    Defects
    Trusted computing

    Keywords

    • Containment
    • Layering
    • Sandbox

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications

    Cite this

    Cappos, J., Dadgar, A., Rasley, J., Samuel, J., Beschastnikh, I., Barsan, C., ... Anderson, T. (2010). Retaining sandbox containment despite bugs in privileged memory-safe code. In CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security (pp. 212-223) https://doi.org/10.1145/1866307.1866332

    Retaining sandbox containment despite bugs in privileged memory-safe code. / Cappos, Justin; Dadgar, Armon; Rasley, Jeff; Samuel, Justin; Beschastnikh, Ivan; Barsan, Cosmin; Krishnamurthy, Arvind; Anderson, Thomas.

    CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010. p. 212-223.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Cappos, J, Dadgar, A, Rasley, J, Samuel, J, Beschastnikh, I, Barsan, C, Krishnamurthy, A & Anderson, T 2010, Retaining sandbox containment despite bugs in privileged memory-safe code. in CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. pp. 212-223, 17th ACM Conference on Computer and Communications Security, CCS'10, Chicago, IL, United States, 10/4/10. https://doi.org/10.1145/1866307.1866332
    Cappos J, Dadgar A, Rasley J, Samuel J, Beschastnikh I, Barsan C et al. Retaining sandbox containment despite bugs in privileged memory-safe code. In CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010. p. 212-223 https://doi.org/10.1145/1866307.1866332
    Cappos, Justin ; Dadgar, Armon ; Rasley, Jeff ; Samuel, Justin ; Beschastnikh, Ivan ; Barsan, Cosmin ; Krishnamurthy, Arvind ; Anderson, Thomas. / Retaining sandbox containment despite bugs in privileged memory-safe code. CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010. pp. 212-223
    @inproceedings{853c790bdc7b468eadbeca78b9521ae4,
    title = "Retaining sandbox containment despite bugs in privileged memory-safe code",
    abstract = "Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, aws in the standard library often allow an attacker to escape the security protections of the sandbox.In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java's standard libraries and show that most of these bugs would likely be contained in our sandbox.",
    keywords = "Containment, Layering, Sandbox",
    author = "Justin Cappos and Armon Dadgar and Jeff Rasley and Justin Samuel and Ivan Beschastnikh and Cosmin Barsan and Arvind Krishnamurthy and Thomas Anderson",
    year = "2010",
    doi = "10.1145/1866307.1866332",
    language = "English (US)",
    isbn = "9781450302449",
    pages = "212--223",
    booktitle = "CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security",

    }

    TY - GEN

    T1 - Retaining sandbox containment despite bugs in privileged memory-safe code

    AU - Cappos, Justin

    AU - Dadgar, Armon

    AU - Rasley, Jeff

    AU - Samuel, Justin

    AU - Beschastnikh, Ivan

    AU - Barsan, Cosmin

    AU - Krishnamurthy, Arvind

    AU - Anderson, Thomas

    PY - 2010

    Y1 - 2010

    N2 - Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, aws in the standard library often allow an attacker to escape the security protections of the sandbox.In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java's standard libraries and show that most of these bugs would likely be contained in our sandbox.

    AB - Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, aws in the standard library often allow an attacker to escape the security protections of the sandbox.In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java's standard libraries and show that most of these bugs would likely be contained in our sandbox.

    KW - Containment

    KW - Layering

    KW - Sandbox

    UR - http://www.scopus.com/inward/record.url?scp=78649981256&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=78649981256&partnerID=8YFLogxK

    U2 - 10.1145/1866307.1866332

    DO - 10.1145/1866307.1866332

    M3 - Conference contribution

    AN - SCOPUS:78649981256

    SN - 9781450302449

    SP - 212

    EP - 223

    BT - CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security

    ER -