Sandboxing Mobile Code Execution Environments

Anup K. Ghosh, Ph.D.anup.ghosh@computer.org

DARPA Joint Intrusion Detection and Information Assurance Principal Investigator MeetingAugust 2-6, 1999Phoenix, AZ

www.rstcorp.com

The Problem We are Addressing: Untrusted Code

Protecting computing host platforms from untrusted mobile code Java applets ActiveX controls JavaScripts VBscripts/macros multimedia files

Properties of Mobile Code

Comes in a variety of formsOften runs unannounced and

unbeknownst to the userRuns with the privilege of the userDistributed in executable form Run in multiple threadsCan launch other programs

Mobile Code Trojans: Do you know what you are running?Demo of hostile Java appletEd Felten of Princeton University:

“Given the choice of safer systems or dancing pigs, the average user will always opt for dancing pigs.”

Technical Objectives

Prevent untrusted mobile code from: writing to file system reading from file system executing programs network access except those on permitted

ports reading/writing to/from system devices

Detect/prevent previously unseen mobile code attacks

Mobile Code Security

Originating site

Host site

compilersourcecode code

execProtection Means

- type safety- annotation- PCC- static checks

kernel

boundary controller

code xform

interpreter

Protection Means- firewall/scanning- wrapping/SFI- VM/RTS extens- dynamic checks- DTE/sandboxing

Observations on Protection Mechanisms

Language-based Limited to a particular

language One policy does not fit all Still need dynamic checks

Code Wrapping address containment only bypassable difficult to wrap all code

Firewalls/Scanners binary policies novel code defeats

scanners

Interpreter Particular to code Different models for

different code

Kernel protection requires OS extensions policy specification

Sandboxing Approaches and Pitfalls

Wrap API calls for mobile code threads code can make direct calls to kernel code can alter memory of other threads

Wrap kernel calls for large applications policies for browsers are necessarily lax

and problematic for preventing malicious behavior from mobile code.

Technical Approach

Specify security-policy in code/platform- independent language

Separate policy specification from policy enforcement

Compile policies to specific platformAddress policy problems for mobile code

host platformsImplement kernel extensions for

WinNT/Solaris

Applying Approach to the Windows NT Platform

Wrap access to system resources in kernel (ring 0) --- API wrapping is bypassable file system, registry, network, devices

Use kernel extensions to WinNT known as filter drivers (VxD programming) to hook all access to system resources

WinNT Architecture

Sandboxing Win32 Processes

Sandboxing on Solaris

Developing Policies for Mobile Code Hosts

Most mobile code hosts are large multi-use applications: Web browsers, mailers, desktop automation

(word processors, spreadsheets, etc.) These applications necessarily need to read

and write to file system, add new modules, read and write to network resources.

Problem: how to develop a useful policy in light of these multi-use requirements

Potential Solutions

Wrap mobile code threads Problem: mobile code can corrupt mobile

code host memoryWrap entire application with restrictive

policy Problem: makes desktop applications

uselessNote when application executes mobile

code and implement strict policy then

Technical Hurdles

Developing expressive, robust, code/platform-independent, and simple policy specification language

Performance penalties with kernel wrapping approach

Determining when mobile code is executing

Addressing DoS/resource consumption attacks

Quantitative Metrics

Benchmark process performance with and without kernel wrapping

Evaluate sandbox approach against malicious mobile code: hostile Java applets hostile ActiveX controls JavaScripts that use controls

Compare against other sandboxing approaches

Expected Achievements

Develop and release kernel wrapping libraries for Windows NT

Develop and release sandbox for mobile code platforms

Evaluate approach against malicious mobile code

Overcome hurdles in state-of-the-art sandboxing

Task Schedule

Year 1 Develop policy specification language Build kernel level filter drivers for NT Develop sandbox monitor & implement

policies Benchmark Windows NT prototype

against attacks Benchmark performance penalty of

kernel-level wrapping

Task Schedule (cont’d)

Year 2 Develop functions for processing Solaris

callbacks using the /proc interface Develop sandbox shell Create an audit monitor for logging

system calls Adapt sandbox monitor for Solaris Benchmark prototype

Technology Transfer

Release kernel-level wrapping libraries to the public domain

Support full observability and controllability of Win32 processes

Support intrusion detection initiatives on Win32 platform

Release sandboxing technology

Questions?

Contact info: anup.ghosh@computer.org www.rstcorp.com www.rstcorp.com/papers/ www.rstcorp.com/~anup/ www.rstcorp.com/books/ecs/