Notes
Session 07 Application Confinement
Security of Information Systems (SIS)
Computer Science and Engineering Department
November 18, 2020
1 / 29
Story So Far Notes
I systems and system components have an attack surface I flaws in systems and system components may be exploited I input may be used maliciously I prevent existance and prevent exploitation of vulnerabilities I defender needs to limit damage
2 / 29
Limiting Damage Notes
I isolate entire system, e.g. virtualization I isolate/confine system component (application), e.g. sandboxing I limit possible actions, limit accessible resources, e.g. prevent an app from using the network, prevent an app from reading data from other apps
3 / 29
Application Confinement Notes
I What can an application do? What can an application access? I access control: subject, object I typically enforced at kernel level I What if it were enforced by a library at application level? I overhead I filesystem: users, file permissions, access control lists I configurable permissions: Android permissions, iOS Privacy Settings, Linux capabilities I sandboxing: jailing (filesystem), application sandboxing (kernel-enforced rules)
4 / 29 Remember: Malware Notes
I application deployed on user device/workstation I may abuse resource use and access I doesn’t require a vulnerability in an app, only a defect in the configuration or system I confining it reduces damage
5 / 29
Filesystem Access Control Notes
I subject: process (UID) I object: file (UID, GID) I permissions or access control lists (attached to a file)
6 / 29
Android Permissions Notes
I requests permissions at runtime I permission approval I enforcement at Android SDK level I signed permissions
7 / 29 iOS Privacy Settings Notes
I database mappping between app and resource/service I Preferences app writes to database I may be turned on/off
8 / 29 Linux Capabilities Notes
I security tokens providing privileges I attached to a given process I allow different permissions for processes belonging to the same user I may also be attached to an executable (similar to the setuid bit)
9 / 29
Linux Security Modules Notes
I framework in Linux kernel I hooks for user-level system call I introduced in Linux kernel 2.6
11 / 29
MAC Implementations Notes
I SELinux (2.6.0) I AppArmor (2.6.36) I Smack (2.6.25) I TOMOYO (2.6.30) I Yama (3.4)
12 / 29
SELinux Notes
I inode based I uses labels - user:role:type:mls I policy based I modes I disabled I permissive I enforcing I other features I Role-Based Access Control (RBAC) I Multi-Level Security (MLS) I Multi-Category Security (MCS)
13 / 29 AppArmor Notes
I path based I filesystem agnostic I profile based I hybrid modes I per object mode I learning mode
14 / 29
SMACK Notes
I inode based I uses labels (most are kept in extended attribute – xattrs) I policy based I access I rwxa - same as DAC I t - transmutation I b - report in bringup mode I custom labels: *?@ˆ
15 / 29
Assets to Protect Notes
I file descriptors I file system space I other processes I memory I network I everything else
17 / 29
Sandbox Implementations Notes
I capabilities I jail I rule based (MAC) I Java Virtual Machine I HTML5 iframe sandbox I .NET Code Access Security
18 / 29 Breaking Sandboxing Notes
I faulty sandbox rules I other faulty configuration I kernel vulnerability
19 / 29
Linux Seccomp Notes
I minimize the exposed kernel surface I to be used by developers I uses BPF (Berkeley Packet Filtering) I requires support in kernel
20 / 29
Kernel Config Notes
I CONFIG HAVE ARCH SECCOMP FILTER=y I CONFIG SECCOMP FILTER=y I CONFIG SECCOMP=y
21 / 29
Default Allowed Syscalls Notes
I read I write I exit I sigreturn
22 / 29 Android Application Sandbox Notes
I The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and file permissions. I SELinux-based I uses application UID to map sandbox to application
23 / 29
Sandbox Profiles Notes
I set of rules I sandbox operations, sandbox filters I provided as binary blobs in the kernel image I attached to an application I some apps may use the same sandbox profile I some system services use no sandbox profile I entitlement-checks and sandbox extensions for differentiation between apps using same sandbox profile
25 / 29 container Sandbox Profile Notes
I default sandbox profiles for all 3rd party apps I biggest sandbox profile
26 / 29
SandScout Notes
I https://dl.acm.org/citation.cfm?id=2978336 I SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles I systematic analysis of container sandbox profiles I found flaws: application collusion, device abuse, control bypass
27 / 29 Keywords Notes
I MAC I access control SELinux, AppArmor, Linux Security Module I I SMACK I subject, object, permission I seccomp I capabilities I iOS sandboxing I profiles I privacy settings
29 / 29
Notes
Notes
Notes