Poster Description

Poster Description

Seamless Interaction Across Roles Chris Long Abstract Sophie Kim The SAVIOR system demonstrates a virtual desktop Chris Hill environment that partitions applications and data into Next Century isolated Roles for security, which run in separate virtual Falls Church, VA 22042, USA machines in the cloud. SAVIOR addresses two usability [email protected] issues with such an architecture: management of and [email protected] interaction with applications scattered across VMs in the [email protected] cloud, and secure information sharing across Roles. First, its custom Desktop application unifies Wole Omitowoju presentation and interaction across Roles and provides Kyle Drumm a user experience almost like running the applications Kevin Aranyi locally. The Desktop also provides a single interface for Next Century starting and stopping installed applications. Second, Annapolis Junction, MD 20701, SAVIOR allows sharing data across Roles with familiar USA clipboard operations and file sharing with single sign-on [email protected] to standard file servers, as permitted by the [email protected] administrator. For security, user credentials are never [email protected] shared with applications themselves or even the VMs they reside in. Copyright is held by the author/owner. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee. Poster presented at the 15th Symposium on Usable Privacy Author Keywords and Security (SOUPS 2019). hcisec; usability; cloud computing; malware; virtual machines ACM Classification Keywords • Security and privacy~Usability in security and privacy • Security and privacy~Malware and its mitigation • Security and privacy~Virtualization and security • Human-centered computing~Interactive systems and tools • Computer systems organization~Cloud One challenge for partitioned systems such as this is computing that users sometimes do need to share information across these boundaries. To support this, SAVIOR Developer Role Introduction allows sharing across roles via SMB file shares (e.g., Desktop computer security is still a big problem. Windows, Samba) and clipboard copy & paste. Malware, phishing, and intruders are still prevalent. One reason for their success is that all applications run Related Work with access to all file and applications the user has SAVIOR was motivated in part by prior research access to. We have developed the SAVIOR system showing the need for security to be usable (e.g., [18]). (Secure Applications in Virtual Instantiations of Roles) It also adheres to many of the principals for usability to leverage virtualization and cloud computing to security espoused by [18] and [2], such as: you can't provide users with a more secure computing retrofit security, tools aren't solutions, and mind the environment that is still easy to use. upper layers. SAVIOR allow users to easily run unmodified There are many mechanisms available today for applications that have restricted access to resources, restricting application execution. These include including files, networking, and other applications. AppArmor [1] and SELinux [12], which both allow Unlike other similar solutions, SAVIOR partitions policies at the level of specific programs and files. applications using separate virtual machines running in Virtualization is also used for security, with systems the cloud, specifically Amazon Web Services (AWS) such as VirtualBox [23], VMWare [20], and Xen [4]. Elastic Computing Cloud (EC2). The separation of applications into roles limits their access to only the Several previous systems were designed to increase resources available in that role. For example, an Email security by limiting application actions while providing a Role that had only an email client installed (e.g., unified interface for interacting with them. Chameleon Thunderbird, Outlook) would not have access to the [7] and Polaris [19], for example, run applications as web or to the user's sensitive documents. As others different users to restrict applications. WindowBox [3] Web Browsing Role have discussed, while not a panacea, this type of and Janus [6] used process-level protections. Bromium compartmentalization will thwart many types of uses "micro-virtual machines" [5]. Apiary [15] uses Figure 1 Example SAVIOR malware and other threats. containerization provided by the operating system and Session. Switching among Roles a custom virtual layered file system. Qubes OS [17] is easy. For example, the The SAVIOR Desktop application provides a unified uses Xen domains. Unlike SAVIOR, none of these work terminal from the Developer Role interface for launching and seamlessly interacting with with cloud-based virtual machines, and only Qubes OS and web browser from the Web applications running on multiple virtual machines and supports multiple operating systems. Browser Role are visible simultaneously. operating systems, with a user experience nearly identical to running applications locally (see Figure 1). SAVIOR SAVIOR was designed with the following goals: ▪ Easy to use, specifically by being as similar to the Desktop standard desktop experience as possible. The Desktop is the application users run to authenticate ▪ Support for existing Linux and Windows applications, to SAVIOR, start and stop applications, and interact including Outlook and Microsoft Office. with running applications. As part of the overall SAVIOR ease-of-use design goal, the Desktop presents each ▪ Secure by design, via role-based partitioning. application in its own top-level window, as if it were ▪ Instrumented with sensors at multiple levels, to running locally, similar to "seamless" mode in provide data for security analytics. VirtualBox or "unity" mode in VMWare Workstation. ▪ Integrated with enterprise infrastructure: Active Directory authentication, single-sign-on access to file This goal significantly restricted our choice of remote shares and printers. protocol, because most remote protocols only support full desktop remoting (e.g., VNC [16]). For Linux The overall architecture of SAVIOR is shown in Figure applications, these constrained our choices to X [14] 2. Each user may be given access to any number of and Xpra [24]. We chose Xpra because unlike X, it is Roles and may run as many of these at a time as designed to work well over wide area networks. The desired. Each Role can be run any number of Linux Desktop natively implements the Xpra protocol. and/or Windows applications. Each Role is instantiated as a Xen hypervisor running on Amazon Elastic For Windows, only Microsoft's Remote Desktop Protocol Computing Cloud (EC2) and, if the Role includes (RDP) [10] with the remote application extension [11] Windows applications, Windows and Windows Display fit our requirements. Although the server is not open Server instances, also (see Figure 3). While a user's source, there are multiple open source clients (e.g., applications are running, a CIFS Proxy allows [21], [22], [25]). We considered either adding RDP authorized Roles to access files on standard Windows support directly to the SAVIOR Desktop, or adding an file servers. The Virtue Manager handles user intermediate computer running an RDP client and Xpra authentication to the system, user access to Roles, and server. We chose the RDP+Xpra approach for two startup and shutdown of EC2 instances. Its features are reasons. First, it required substantially less engineering. exposed as REST services, which can be secured with Second, by using an intermediary, the Windows Display https. Sensors run continuously and report many types Server, Windows applications remain running if there is of events to the Sensor Servers, including file access, a network problem or the Desktop exits. The WDS runs running processes, and network activity. The level of an Xpra server to which the Desktop connects and an detail of their reports can be dynamically varied. RDP client, connected to the Windows Application VM, for each Windows application that is running. All network connections in SAVIOR are secured. A few types of connections have their own security CIFS Proxy mechanisms, such as with Active Directory. Those that The CIFS (Common Internet File System [8]) Proxy do not, such as Xpra, are secured by tunneling via ssh. exists to satisfy two apparently contradictory goals: 1. to allow users access files shared with them on existing keeping hot spares and other avenues to reduce this Xen Linux VM remote file servers using single-sign-on, and 2. to deny time. Also, operating on files across Roles is not as Windows Linux DomU the applications that use those files access to the user's convenient as it could be. It is possible with shared file Display Server credentials for those files, thus limiting them to access servers and via the clipboard, but direct access [7] [19] granted to their Role. To resolve this conundrum, the would be better. Sensors RDP CIFS Proxy acts as an intermediary between virtual machines running user applications and the file servers SAVIOR was designed specifically to run on AWS EC2. DHCP Unikernel Windows VM DomU hosting the shared files. It connects to the file server Some components, such as the Desktop, are not on the user's behalf and mounts the file share (i.e., a sensitive to the specific cloud technology, but others, Dom0 specific set of shared files). It then exposes this share such as the Virtue Manager, have substantial ties to Sensors Sensors only to virtual machines in roles

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us