A Study of Security Isolation Techniques

Shu, Rui; Wang, Peipei; Gorski, Sigmund Albert; Andow, Benjamin; Nadkarni, Adwait; Deshotels, Luke; Gionta, Jason; Enck, William; Gu, Xiaohui

doi:10.1145/2988545

Cited by 23 publications

(18 citation statements)

References 66 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The process confinement problem dates back half a century [28]. Dozens of tools and frameworks, some more practical than others, have been proposed to limit the impact of untrusted software on the rest of the system [43]. The isolation provided by containers is really a form of operating system virtualization, something that has a long history on Unix, with implementations including the standard chroot(2), BSD jails [25] and Solaris Zones [38].…”

Section: Motivationmentioning

confidence: 99%

bpfbox

Findlay

Somayaji

Barrera

2020

Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

Process confinement is a key requirement for workloads in the cloud and in other contexts. Existing process confinement mechanisms on Linux, however, are complex and inflexible because they are implemented using a combination of primitive abstractions (e.g., namespaces, cgroups) and complex security mechanisms (e.g., SELinux, AppArmor) that were designed for purposes beyond basic process confinement. We argue that simple, efficient, and flexible confinement can be better implemented today using eBPF, an emerging technology for safely extending the Linux kernel. We present a proof-of-concept confinement application, bpfbox, that uses less than 2000 lines of kernelspace code and allows for confinement at the userspace function, system call, LSM hook, and kernelspace function boundaries-something that no existing process confinement mechanism can do. Further, it does so using a policy language simple enough to use for ad-hoc confinement purposes. This paper presents the motivation, design, implementation, and benchmarks of bpfbox, including a sample web server confinement policy. CCS CONCEPTS • Security and privacy → Operating systems security; Access control.

show abstract

Section: Motivationmentioning

confidence: 99%

bpfbox

Findlay

Somayaji

Barrera

2020

Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

show abstract

“…Since Wahbe et al [35] proposed their initial technique for SFI, there has been a number of proposals for efficiently confining untrusted software to a memory sandbox (see [23,24,31,32,34,37,39]). One of the most prominent is Google's Native Client (NaCl) [37], which provides an infrastructure for executing untrusted native code in a web browser.…”

Section: Related Workmentioning

confidence: 99%

Compiling Sandboxes: Formally Verified Software Fault Isolation

Besson

Blazy

Dang

et al. 2019

Programming Languages and Systems

View full text Add to dashboard Cite

Software Fault Isolation (SFI) is a security-enhancing program transformation for instrumenting an untrusted binary module so that it runs inside a dedicated isolated address space, called a sandbox. To ensure that the untrusted module cannot escape its sandbox, existing approaches such as Google's Native Client rely on a binary verifier to check that all memory accesses are within the sandbox. Instead of relying on a posteriori verification, we design, implement and prove correct a program instrumentation phase as part of the formally verified compiler CompCert that enforces a sandboxing security property a priori. This eliminates the need for a binary verifier and, instead, leverages the soundness proof of the compiler to prove the security of the sandboxing transformation. The technical contributions are a novel sandboxing transformation that has a well-defined C semantics and which supports arbitrary function pointers, and a formally verified C compiler that implements SFI. Experiments show that our formally verified technique is a competitive way of implementing SFI.

show abstract

“…Since the advent of multi-processing and multi-tenant systems in the 1960s and 1970s [36,119,150] with Multics and Unix, security experts have been concerned with designing systems in such a way that two running programs minimally interfere with one another. Since then, an abundance of tools and frameworks, some more practical than others, have been proposed to limit the damage that untrusted software can do to the system as a whole [128]. These are covered in more depth in Chapter 2.…”

Section: Why Design a New Confinement Framework?mentioning

confidence: 99%

“…Mandatory access control solutions based on LSM (Linux Security Modules) hooks can be configured to define and enforce powerful per-application policies, protecting system resources from unwanted access. Unix DAC (Discretionary Access Control) [75,107,119,128] restricts access to system resources according to resource owners, groups, permission bits, and access control lists. When applied to container security, the common problem faced by these security mechanisms is that they are being applied to solve a problem for which they were not originally designed.…”

Section: Why Design a New Confinement Framework?mentioning

confidence: 99%

“…Although discretionary access control provides a convenient and intuitive user-centric model for object ownership and permissions, it makes some dangerous assumptions about security that can totally invalidate the model in practice [128]. In particular, DAC assumes that all processes are benign and contain no exploitable vulnerabilities.…”

Section: Dac Security Assumptions and Attacksmentioning

confidence: 99%

See 1 more Smart Citation

A Practical, Lightweight, and Flexible Confinement Framework in eBPF

Findlay¹

View full text Add to dashboard Cite

show abstract

A Study of Security Isolation Techniques

Cited by 23 publications

References 66 publications

bpfbox

bpfbox

Compiling Sandboxes: Formally Verified Software Fault Isolation

A Practical, Lightweight, and Flexible Confinement Framework in eBPF

Contact Info

Product

Resources

About