Notes Session 07 Application Confinement Security of Information Systems (SIS) Computer Science and Engineering Department November 18, 2020 1 / 29 Story So Far Notes I systems and system components have an attack surface I flaws in systems and system components may be exploited I input may be used maliciously I prevent existance and prevent exploitation of vulnerabilities I defender needs to limit damage 2 / 29 Limiting Damage Notes I isolate entire system, e.g. virtualization I isolate/confine system component (application), e.g. sandboxing I limit possible actions, limit accessible resources, e.g. prevent an app from using the network, prevent an app from reading data from other apps 3 / 29 Application Confinement Notes I What can an application do? What can an application access? I access control: subject, object I typically enforced at kernel level I What if it were enforced by a library at application level? I overhead I filesystem: users, file permissions, access control lists I configurable permissions: Android permissions, iOS Privacy Settings, Linux capabilities I sandboxing: jailing (filesystem), application sandboxing (kernel-enforced rules) 4 / 29 Remember: Malware Notes I application deployed on user device/workstation I may abuse resource use and access I doesn't require a vulnerability in an app, only a defect in the configuration or system I confining it reduces damage 5 / 29 Filesystem Access Control Notes I subject: process (UID) I object: file (UID, GID) I permissions or access control lists (attached to a file) 6 / 29 Android Permissions Notes I requests permissions at runtime I permission approval I enforcement at Android SDK level I signed permissions 7 / 29 iOS Privacy Settings Notes I database mappping between app and resource/service I Preferences app writes to database I may be turned on/off 8 / 29 Linux Capabilities Notes I security tokens providing privileges I attached to a given process I allow different permissions for processes belonging to the same user I may also be attached to an executable (similar to the setuid bit) 9 / 29 Linux Security Modules Notes I framework in Linux kernel I hooks for user-level system call I introduced in Linux kernel 2.6 11 / 29 MAC Implementations Notes I SELinux (2.6.0) I AppArmor (2.6.36) I Smack (2.6.25) I TOMOYO (2.6.30) I Yama (3.4) 12 / 29 SELinux Notes I inode based I uses labels - user:role:type:mls I policy based I modes I disabled I permissive I enforcing I other features I Role-Based Access Control (RBAC) I Multi-Level Security (MLS) I Multi-Category Security (MCS) 13 / 29 AppArmor Notes I path based I filesystem agnostic I profile based I hybrid modes I per object mode I learning mode 14 / 29 SMACK Notes I inode based I uses labels (most are kept in extended attribute { xattrs) I policy based I access I rwxa - same as DAC I t - transmutation I b - report in bringup mode I custom labels: *?@^ 15 / 29 Assets to Protect Notes I file descriptors I file system space I other processes I memory I network I everything else 17 / 29 Sandbox Implementations Notes I capabilities I jail I rule based (MAC) I Java Virtual Machine I HTML5 iframe sandbox I .NET Code Access Security 18 / 29 Breaking Sandboxing Notes I faulty sandbox rules I other faulty configuration I kernel vulnerability 19 / 29 Linux Seccomp Notes I minimize the exposed kernel surface I to be used by developers I uses BPF (Berkeley Packet Filtering) I requires support in kernel 20 / 29 Kernel Config Notes I CONFIG HAVE ARCH SECCOMP FILTER=y I CONFIG SECCOMP FILTER=y I CONFIG SECCOMP=y 21 / 29 Default Allowed Syscalls Notes I read I write I exit I sigreturn 22 / 29 Android Application Sandbox Notes I The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and file permissions. I SELinux-based I uses application UID to map sandbox to application 23 / 29 Sandbox Profiles Notes I set of rules I sandbox operations, sandbox filters I provided as binary blobs in the kernel image I attached to an application I some apps may use the same sandbox profile I some system services use no sandbox profile I entitlement-checks and sandbox extensions for differentiation between apps using same sandbox profile 25 / 29 container Sandbox Profile Notes I default sandbox profiles for all 3rd party apps I biggest sandbox profile 26 / 29 SandScout Notes I https://dl.acm.org/citation.cfm?id=2978336 I SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles I systematic analysis of container sandbox profiles I found flaws: application collusion, device abuse, control bypass 27 / 29 Keywords Notes I MAC I access control SELinux, AppArmor, Linux Security Module I I SMACK I subject, object, permission I seccomp I capabilities I iOS sandboxing I profiles I privacy settings 29 / 29 Notes Notes Notes.