Sandboxing Mobile Code Execution Environments

Anup K. Ghosh, Ph.D.anup.ghosh@computer.org

DARPA Joint Intrusion Detection and Information Assurance Principal Investigator MeetingAugust 2-6, 1999Phoenix, AZ

www.rstcorp.com

The Problem We are Addressing: Untrusted CodeProtecting computing host platforms

from untrusted mobile code Java applets ActiveX controls JavaScripts VBscripts/macros multimedia files

Properties of Mobile CodeComes in a variety of formsOften runs unannounced and

unbeknownst to the userRuns with the privilege of the userDistributed in executable form Run in multiple threadsCan launch other programs

Mobile Code Trojans: Do you know what you are running?Demo of hostile Java appletEd Felten of Princeton University:

“Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”

Technical ObjectivesPrevent untrusted mobile code from:

writing to file system reading from file system executing programs network access except those on permitted

ports reading/writing to/from system devices

Detect/prevent previously unseen mobile code attacks

Mobile Code Security

Originating site

Host site

compilersourcecode code

execProtection Means

- type safety- annotation- PCC- static checks

kernel

boundary controller

code xform

interpreter

Protection Means- firewall/scanning- wrapping/SFI- VM/RTS extens- dynamic checks- DTE/sandboxing

Observations on Protection Mechanisms

Language-based Limited to a particular

language One policy does not fit all Still need dynamic checks

Code Wrapping address containment only bypassable difficult to wrap all code

Firewalls/Scanners binary policies novel code defeats

scannersInterpreter

Particular to code Different models for

different codeKernel protection

requires OS extensions policy specification

Sandboxing Approaches and PitfallsWrap API calls for mobile code threads

code can make direct calls to kernel code can alter memory of other threads

Wrap kernel calls for large applications policies for browsers are necessarily lax

and problematic for preventing malicious behavior from mobile code.

Technical ApproachSpecify security-policy in code/platform-

independent languageSeparate policy specification from policy

enforcementCompile policies to specific platformAddress policy problems for mobile code

host platformsImplement kernel extensions for

WinNT/Solaris

Applying Approach to the Windows NT PlatformWrap access to system resources in

kernel (ring 0) --- API wrapping is bypassable file system, registry, network, devices

Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources

WinNT Architecture

Sandboxing Win32 Processes

Sandboxing on Solaris

Developing Policies for Mobile Code HostsMost mobile code hosts are large multi-

use applications: Web browsers, mailers, desktop automation

(word processors, spreadsheets, etc.) These applications necessarily need to read

and write to file system, add new modules, read and write to network resources.

Problem: how to develop a useful policy in light of these multi-use requirements

Potential SolutionsWrap mobile code threads

Problem: mobile code can corrupt mobile code host memory

Wrap entire application with restrictive policy Problem: makes desktop applications useless

Note when application executes mobile code and implement strict policy then

Technical HurdlesDeveloping expressive, robust,

code/platform-independent, and simple policy specification language

Performance penalties with kernel wrapping approach

Determining when mobile code is executing

Addressing DoS/resource consumption attacks

Quantitative MetricsBenchmark process performance with

and without kernel wrappingEvaluate sandbox approach against

malicious mobile code: hostile Java applets hostile ActiveX controls JavaScripts that use controls

Compare against other sandboxing approaches

Expected AchievementsDevelop and release kernel wrapping

libraries for Windows NT Develop and release sandbox for

mobile code platformsEvaluate approach against malicious

mobile codeOvercome hurdles in state-of-the-art

sandboxing

Task ScheduleYear 1

Develop policy specification language Build kernel level filter drivers for NT Develop sandbox monitor & implement

policies Benchmark Windows NT prototype against

attacks Benchmark performance penalty of kernel-

level wrapping

Task Schedule (cont’d)Year 2

Develop functions for processing Solaris callbacks using the /proc interface

Develop sandbox shell Create an audit monitor for logging

system calls Adapt sandbox monitor for Solaris Benchmark prototype

Technology TransferRelease kernel-level wrapping

libraries to the public domainSupport full observability and

controllability of Win32 processesSupport intrusion detection

initiatives on Win32 platformRelease sandboxing technology

Questions?Contact info:

anup.ghosh@computer.org www.rstcorp.com www.rstcorp.com/papers/ www.rstcorp.com/~anup/ www.rstcorp.com/books/ecs/