Session 07 Application Conﬁnement

Notes

Security of Information Systems (SIS)

Computer Science and Engineering Department

November 18, 2020

1 / 29

Story So Far Notes

I systems and system components have an attack surface I ﬂaws in systems and system components may be exploited I input may be used maliciously I prevent existance and prevent exploitation of vulnerabilities I defender needs to limit damage

2 / 29

Limiting Damage Notes

I isolate entire system, e.g. virtualization I isolate/conﬁne system component (application), e.g. sandboxing I limit possible actions, limit accessible resources, e.g. prevent an app from using the network, prevent an app from reading data from other apps

3 / 29

Application Conﬁnement Notes

I What can an application do? What can an application access? I access control: subject, object I typically enforced at kernel level I What if it were enforced by a library at application level? I overhead I filesystem: users, file permissions, access control lists I configurable permissions: Android permissions, iOS Privacy Settings, Linux capabilities I sandboxing: jailing (filesystem), application sandboxing (kernel-enforced rules)

4 / 29 Remember: Malware Notes

I application deployed on user device/workstation I may abuse resource use and access I doesn’t require a vulnerability in an app, only a defect in the conﬁguration or system I conﬁning it reduces damage

5 / 29

Filesystem Access Control Notes

I subject: process (UID) I object: ﬁle (UID, GID) I permissions or access control lists (attached to a ﬁle)

6 / 29

Android Permissions Notes

I requests permissions at runtime I permission approval I enforcement at Android SDK level I signed permissions

7 / 29 iOS Privacy Settings Notes

I database mappping between app and resource/service I Preferences app writes to database I may be turned on/oﬀ

8 / 29 Linux Capabilities Notes

I security tokens providing privileges I attached to a given process I allow diﬀerent permissions for processes belonging to the same user I may also be attached to an executable (similar to the setuid bit)

9 / 29

Linux Security Modules Notes

I framework in Linux kernel I hooks for user-level system call I introduced in Linux kernel 2.6

11 / 29

MAC Implementations Notes

I SELinux (2.6.0) I AppArmor (2.6.36) I Smack (2.6.25) I TOMOYO (2.6.30) I Yama (3.4)

12 / 29

SELinux Notes

I inode based I uses labels - user:role:type:mls I policy based I modes I disabled I permissive I enforcing I other features I Role-Based Access Control (RBAC) I Multi-Level Security (MLS) I Multi-Category Security (MCS)

13 / 29 AppArmor Notes

I path based I ﬁlesystem agnostic I proﬁle based I hybrid modes I per object mode I learning mode

14 / 29

SMACK Notes

I inode based I uses labels (most are kept in extended attribute – xattrs) I policy based I access I rwxa - same as DAC I t - transmutation I b - report in bringup mode I custom labels: *?@ˆ

15 / 29

Assets to Protect Notes

I ﬁle descriptors I ﬁle system space I other processes I memory I network I everything else

17 / 29

Sandbox Implementations Notes

I capabilities I jail I rule based (MAC) I Java Virtual Machine I HTML5 iframe sandbox I .NET Code Access Security

18 / 29 Breaking Sandboxing Notes

I faulty sandbox rules I other faulty conﬁguration I kernel vulnerability

19 / 29

Linux Seccomp Notes

I minimize the exposed kernel surface I to be used by developers I uses BPF (Berkeley Packet Filtering) I requires support in kernel

20 / 29

Kernel Conﬁg Notes

I CONFIG HAVE ARCH SECCOMP FILTER=y I CONFIG SECCOMP FILTER=y I CONFIG SECCOMP=y

21 / 29

Default Allowed Syscalls Notes

I read I write I exit I sigreturn

22 / 29 Android Application Sandbox Notes

I The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and ﬁle permissions. I SELinux-based I uses application UID to map sandbox to application

23 / 29

Sandbox Proﬁles Notes

I set of rules I sandbox operations, sandbox filters I provided as binary blobs in the kernel image I attached to an application I some apps may use the same sandbox profile I some system services use no sandbox profile I entitlement-checks and sandbox extensions for differentiation between apps using same sandbox profile

25 / 29 container Sandbox Proﬁle Notes

I default sandbox proﬁles for all 3rd party apps I biggest sandbox proﬁle

26 / 29

SandScout Notes

I https://dl.acm.org/citation.cfm?id=2978336 I SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles I systematic analysis of container sandbox profiles I found flaws: application collusion, device abuse, control bypass

27 / 29 Keywords Notes

I MAC I access control SELinux, AppArmor, Linux Security Module I I SMACK I subject, object, permission I seccomp I capabilities I iOS sandboxing I proﬁles I privacy settings

29 / 29

Notes