Games and the Impossibility of Realizable Ideal Functionality

Introduction to Information Security 0368-3065, Spring 2013

Lecture 6: Process confinement (cont.), smartphone security

Eran Tromer, Roei Schuster

Slides credit: Dan Boneh and John Mitchell, Stanford

1 Improved system call interposition: Systrace

user space monitored application monitor policy file (outlook) for app

open(“etc/passwd”, “r”)

sys-call systrace gateway permit/deny OS Kernel

• Systrace only forwards monitored sys-calls to monitor (saves context switches) • Systrace resolves sym-links and replaces sys-call path arguments by full path to target • When app calls execve, monitor loads new policy file • Fast path in kernel for common/easy cases, ask userspace for complicated/rare cases 2 Systrace policy

• Sample policy file: path allow /tmp/* path deny /etc/passwd network deny all

• Specifying policy for an app is quite difficult – Systrace can auto-gen policy by learning how app behaves on “good” inputs – If policy does not cover a specific sys-call, ask user … but user has no way to decide

• Difficulty with choosing policy for specific apps (e.g. browser) is main reason this approach is not widely used

3 Userspace sandboxing: Google Native Client (NaCl)

Untrusted x86 Browser code NPAPI HTML JavaScript

NaCl runtime • Run untrusted x86 for performance (e.g., Quake) • Two sandboxes: – Outer sandbox: restricts capabilities using system call interposition (on Linux: uses seccomp to tell the kernel to filter its system calls) – Inner sandbox: • Uses x86 memory segmentation to isolate application memory from one another • Restricts allowed machine code to protect the segmentation • Allows only a subset of x86; verified during loading.

4 Linux Security Modules (in-kernel)

• SELinux – Role-based user/process labels – Object labels • Identifies filesystem objects by inode and associated extended attribute (set via system policy) – Policy determines who can access what – Default policies, can be configured • Change policy and relabel filesystem • Manually relabel file system objects • AppArmor – Identified filesystem objects by path • Smack – Goal: simplicity All are Mandatory Access Control.

5 Summary

• Many sandboxing techniques: – Physical air gap, – Virtual air gap (VMMs) (later lecture) – System call interposition – Software Fault isolation (e.g., NaCl) – Application specific (e.g. Javascript in browser)

• Often complete isolation is inappropriate – Apps need to communicate through regulated interfaces

• Hardest aspect of sandboxing: – Specifying policy: what can apps do and not do

6 Continued to: Introduction to Mobile Platform Security (separate file)

7 7