A SECURE JAILING SYSTEM FOR CONFINING UNTRUSTED APPLICATIONS Guido Noordende, ´Ad´am Balogh, Rutger Hofman, Frances M. T. Brazier, and Andrew S. Tanenbaum.

Slides:



Advertisements
Similar presentations
Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Vinay Gangasani vcg
Advertisements

Chapter 6 Security Kernels.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 4: Multithreaded Programming.
Threads. Objectives To introduce the notion of a thread — a fundamental unit of CPU utilization that forms the basis of multithreaded computer systems.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Threads.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Chapter 4: Threads. Overview Multithreading Models Threading Issues Pthreads Windows XP Threads.
Today From threads to file systems
Chapter 4: Threads. 4.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th edition, Jan 23, 2005 Chapter 4: Threads Overview Multithreading.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
3.5 Interprocess Communication
Figure 1.1 Interaction between applications and the operating system.
 2004 Deitel & Associates, Inc. All rights reserved. Chapter 4 – Thread Concepts Outline 4.1 Introduction 4.2Definition of Thread 4.3Motivation for Threads.
4.7.1 Thread Signal Delivery Two types of signals –Synchronous: Occur as a direct result of program execution Should be delivered to currently executing.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Chapter 4: Threads READ 4.1 & 4.2 NOT RESPONSIBLE FOR 4.3 &
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 4: Threads.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 4: Threads.
Processes and Threads.
ISA 562 Internet Security Theory & Practice
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 4: Threads.
Silberschatz, Galvin and Gagne ©2011Operating System Concepts Essentials – 8 th Edition Chapter 4: Threads.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
 2004 Deitel & Associates, Inc. All rights reserved. 1 Chapter 4 – Thread Concepts Outline 4.1 Introduction 4.2Definition of Thread 4.3Motivation for.
Copyright © George Coulouris, Jean Dollimore, Tim Kindberg This material is made available for private study and for direct.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
G53SEC 1 Reference Monitors Enforcement of Access Control.
OPERATING SYSTEM SUPPORT DISTRIBUTED SYSTEMS CHAPTER 6 Lawrence Heyman July 8, 2002.
Operating Systems Structure what is the organizational principle?
Overview Multithreading Models Threading Issues Pthreads Solaris 2 Threads Windows 2000 Threads Linux Threads Java Threads.
Chapter 3 Operating System Organization
Operating Systems Process Creation
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 4: Threads Modified from the slides of the text book. TY, Sept 2010.
1.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Lecture 2: OS Structures (Chapter 2.7)
Lecture 3 Threads Erick Pranata © Sekolah Tinggi Teknik Surabaya 1.
VMM Based Rootkit Detection on Android
Race conditions and synchronization issues Exploiting UNIX.
What is a Process ? A program in execution.
Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.
4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Operating System Structure Lecture: - Operating System Concepts Lecturer: - Pooja Sharma Computer Science Department, Punjabi University, Patiala.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Chapter 3 The Programming Interface Chien-Chung Shen CIS/UD
Chapter 4 – Thread Concepts
CASE STUDY 1: Linux and Android
Chapter 4 – Thread Concepts
Operating System Structure
Chapter 2: Operating-System Structures
Introduction to Operating Systems
Operating Systems: A Modern Perspective, Chapter 3
Shielding applications from an untrusted cloud with Haven
Chapter 2: Operating-System Structures
Access Control What’s New?
Dirty COW Race Condition Attack
Presentation transcript:

A SECURE JAILING SYSTEM FOR CONFINING UNTRUSTED APPLICATIONS Guido Noordende, ´Ad´am Balogh, Rutger Hofman, Frances M. T. Brazier, and Andrew S. Tanenbaum Presented by Khalid Alharthi 1

 Introduction.  Goals.  Terminology.  General positioning of an existing call interception system.  Threats.  TOCTOU.  Insufficient Solutions.  The jailing mode.  Jailer architecture.  Conclusion.  References. 2 Outline

3 Introduction I  Operating systems currently do not provide sufficiently protection mechanisms against the programs that someone executes.  The UNIX protection model is based on a discretionary access control model.  To safely execute untrusted programs on UNIX systems, system-call interception based jailing systems can be used to protect the system and the user’s resources.  System-call interception based jailing systems are based on a kernel-level tracing mechanism (e.g., ptrace).

4 Introduction II  A number of jailing systems require modifications to the operating system to function securely.  Existing systems suffer from several race conditions, which allow an attacker to bypass the jailer’s control mechanisms

5 Goals:  This paper gives an overview of the most important threats to jailing systems.  presents mechanisms for implementing jailing securely systems on standard UNIX.  It provides solutions to race condition problems.  The jailing system presented in this paper provides sufficient control to allow for effective confinement of untrusted programs.

6 Terminology :  The jailer is a trusted process that monitors an untrusted application and enforces a policy on the user’s behalf.  A prisoner is an untrusted application that is being monitored by a jailer and is forced to adhere to a predefined jailing policy.  The tracer is the interface offered by the operating system for debugging / tracing an application.

7 General positioning of an existing call interception system I figure is showing a jailer and a traced prisoner. When a prisoner makes a system call (step 1), the OS suspends the invoking thread and reflects the system call to the jailer (step 2). The jailer inspects the system call’s arguments and decides if it allows the system call or not.

8 General positioning of a existing call interception system II It informs the operating system of its decision (step 3), which results in the system call being continued or an error.

9 Threats We used the ptrace() system call tracing interface to implement jailing system.  Figure illustrates a problem in all system call interception that support multithreaded applications or processes that use shared memory.  In (step 2), the jailer has to make a decision on whether to allow the system call based on its arguments.  These arguments often contain a pointer to a string (e.g., a filename) in the prisoner’s address Space.

10 Threats  Between the time that an invocation was made(step 1/2) and the decision has been passed back to the operating system (step 3), a different thread of the prisoner could have modified the argument in the original thread’s address space.  In this case, the system call would end up using the modified system call argument rather than the argument checked by the jailer. This race condition is called a Time of Check to Time of Use (TOCTOU) race.

11 TOCTOU  Time-of-check, time-of-use race conditions occur when between the time in which a given resource is checked, and the time that resource is used, a change occurs in the resource to invalidate the results of the check. Consequences: Access control: access to unauthorized resources. Integrity: changed in undesirable ways. Non-repudiation: possible to delete files by a malicious user

12 Insufficient Solutions I  The most secure among current approaches is to let the kernel create a safe copy of the arguments before reflecting that to a user-level policy enforcement module.  Also, based on relocating a system call’s argument to a random location on the caller’s stack before checking it.  Other jailing systems simply completely disallow thread creation, or suspend all threads of a jailed process while a system call is being evaluated.

13 Insufficient Solutions II  Both approaches limit the applicability of such systems for executing modern thread-based applications.  Race conditions are again caused by a lack of atomicity of argument checking and system call invocation.  A weakness of most existing jailing systems is that they either always allow or deny them altogether.  Another solution is to make a callback to the user.

14 The jailing model I  They provide a clear jailing model, which distinguish an application’s allowed actions within a jail from actions that influence the world outside the jail.  A jail always starts with a single program, but this program may fork or execve other programs or create new threads4. Child processes run under the same policy as their parent (fig.).

15 The jailing model II

16 The jailing model III A jail’s process hierarchy. The jailer starts the first jailed process in its own jail, and controls this jail by enforcing the jailing model and the jail’s policy. A jailed process can create child processes (using fork and execve).These processes are now in the same jail as their parent and execute under the same policy as their parent.

17 The jailing model IV  All processes within a jail can communicate with Each other using UNIX IPC primitives or signals, or by writing files in their jailing directory.  Communication with processes outside the jail is controlled by the jailer’s policy.

18 Jailer architecture I  The architectural design of our jailer separates generic functionality (i.e., policy enforcement) from platform-specific functionality.  The jailer is split into two layers. The lowest layer is called the interception layer. This layer interfaces with the underlying system call tracing interface.  The upper layer is the policy layer, which enforces the jailing policy. Both layers can access a shared memory manager module, which manages the ShRO memory region (fig).

19 Jailer architecture II

20 Conclusion This paper provides an effective jailing model that allows users to run untrusted programs securely. The solution presents an effective and secure solution for alleviating shared memory and file system race conditions. This solution is portable to any (POSIX compliant) UNIX system. By differentiating between resources created inside and outside the jail, the jailing system has a clear model for deciding which system calls to accept or deny.

21 References I  Jain, K. and Sekar, R. (2000). User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. ISOC Network and Distributed System Security Symposium (NDSS). pp  Kamp, P. and Watson, R. (2000). Jails: Confining the omnipotent root. Proc. 2nd Intl. SANE Conference.  Liang, Z., Venkatakrishnan, V., and Sekar, R. (2003). Isolated program execution: An application transparent approach for executing untrusted programs. 19 th Annual Computer Security Applications Conference (ACSAC), Las Vegas, Nevada.

22 References II  Alexandrov, A., Kmiec, P., and Schauser, K. (1999). Consh: Confined execution environment for internet computations. usenix-consh.ps.

23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.