TY - GEN
T1 - Retaining sandbox containment despite bugs in privileged memory-safe code
AU - Cappos, Justin
AU - Dadgar, Armon
AU - Rasley, Jeff
AU - Samuel, Justin
AU - Beschastnikh, Ivan
AU - Barsan, Cosmin
AU - Krishnamurthy, Arvind
AU - Anderson, Thomas
PY - 2010
Y1 - 2010
N2 - Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, aws in the standard library often allow an attacker to escape the security protections of the sandbox.In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java's standard libraries and show that most of these bugs would likely be contained in our sandbox.
AB - Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, aws in the standard library often allow an attacker to escape the security protections of the sandbox.In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java's standard libraries and show that most of these bugs would likely be contained in our sandbox.
KW - Containment
KW - Layering
KW - Sandbox
UR - http://www.scopus.com/inward/record.url?scp=78649981256&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78649981256&partnerID=8YFLogxK
U2 - 10.1145/1866307.1866332
DO - 10.1145/1866307.1866332
M3 - Conference contribution
AN - SCOPUS:78649981256
SN - 9781450302449
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 212
EP - 223
BT - CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
T2 - 17th ACM Conference on Computer and Communications Security, CCS'10
Y2 - 4 October 2010 through 8 October 2010
ER -