M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan

M. Alexander Helen J. Wang Yunxin Liu

Microsoft Research

1

Presented by Zhaoliang Duan

2

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

3

4

Sandbox runs programs in an isolated space which prevents them from making permanent changes to other programs and data in computer.

From google image on website: http://www.sandboxie.com/

5

• It is not enough !• Example: Mutually distrusting content

6

• Each application handle content protection has drawbacks

7

Content isolation from application is not good!• Security of a users' cloud data is duplicated and entrusted to all of

the user's applications

• Security logic in application is often mixed with error prone content processing logic

8

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

9

Contribution:Contribution:

Flexible isolation

Compatibility with browser's isolation policy

Advocate a content-based principal model in which the OS treats content owners as its principals and isolate content of different owners from one another

Generalize the content-based principal model from web browsers to all applications

Easy adaptation of traditional application

10

• No sharing across principals or isolation containers

11

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

12

13

Principal labeling:

Separate content owning

Trust list mechanism

14

http://blog.com/alice/index.html

Trust:list=http://blog.com/alice/*

http://youtube.com

http://blog.com/

15

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

16

Same principal fetching: Check with IsSamePrincipal algorithm• Owner public key• Trust list

Cross-principal fetching: Data communication; spawning a new principal

17

Bit live in the response.

Bit live in the request.

18

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

19

20

Warping operation: Wininet library of HTTP communication, which remaps its HTTP calls to invoke Service OS fetch call

Application have plug-in interface: Write add-in code to achieve CreatePI() and Embed() functions

Application does not provide plug-in interfaces: Modified the UI code to make room for embedded content

Adaptation onto ServiceOS is feasible.

21

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

22

Content processing errors are widespread.

ServiceOS does not rely on large applications to enforce remote content security.

23

Test case 1: Uses a RTF Header stack overflow vulnerability to construct a malicious document

Test case 2: Malicious document that uses macros to perform the same attack

The application-based isolation would not be able to stop these two exploits, but serviceOS stopped both exploits

24

Startup latencies: • Compare with the startup time of applications' native versions on

Windows.

Overheads on memory usage: • Drawbridge• Loading Excel’s add-in libraries

Performance of content fetch APIs:• Overhead increase following the size of document

25

Result 1: In all tests ServiceOS adds less than 200ms to connect to the monitor and initialize

26

Result1: Both applications carry a very small memory overhead

Result12: No significant penalty for opening documents from the same owner, but for different owners carry a sizable memory overhead

27

Result1: ServiceOS introduces some latency for passing content to renderers

Result 2: Overhead is amortized for larger document sizes

28

Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work

Generalize web browsers’ same-origin policy into an isolation policy suitable for all applications

Advocate a content-based principal model by minimizing the impact of any content including malicious content

Built a substantial prototype system and adapted to it a number of real-world applications

It need to modify or add plug-in code for each applications

how to partition the system into other meaningful pieces and how to set permissions for each piece

If we take a contemporary OS, simple bug in any of the kernel components allows to bypass of the isolation mechanisms

32