|Title:||OS Agnostic Sandboxing Using Virtual CPUs|
|Abstract:||Commodity operating systems have a poor track record when it comes to security. Malware and viruses aim at exploiting vulnerabilities and e.g. try to steal the users private data. Unfortunately most of todays operating systems do not allow to enforce the principle of least authority as their security mechanisms are to coarse grained. In this work we show how we built an OS agnostic sandbox using virtual CPUs. It allows the execution of native code and thus does not wear the burden of an inherent performance penalty. To show the efficiency and usability of our solution we have built a secure execution container for web browser plugins. Background Sandboxing techniques were developed to jail a program into a restricted execution environment [WLAG93]. Per default critical operations (e.g. syscalls) are disallowed and as such trap into the sandbox host. There for example arguments of the critical operation can be inspected and sanitized. Although e.g. the Java VM provides a restricted execution environment it is often disliked due to its performance penalty. Other sandboxing techniques like Googles Native Client (NaCl) rely on specific characteristics of the underlying platform. Design The virtual CPU model (vCPU) is an execution abstraction that strongly resembles to physical CPUs [LWP2010]. It features upcalls, virtual interrupts, a state indicator and a state save area. The vCPU model allows for sequential execution while supporting control ow diversions upon events. We chose to base our architecture on the vCPU model as it allows the traditional thread model to be easily combined with an asynchronous event model. Our architecture is designed to maximize data throughput with a zero-copy shared-memory interface between a sandboxed client and the host. The computational overhead is minimized by allowing native execution. To minimize event latency we designed an efficient event notification mechanism using event buffers. First Results Our vCPU model is implemented using ptrace which allows the client to run natively. The measurements show that sandboxed clients perform comparable to native performance. The event latency is constant and does not depend on the number of concurrently running vCPU threads. Preliminary measurements indicate that the data throughput is sufficient for multimedia applications.|
|Is part of:||SPRING - SIDAR Graduierten-Workshop über Reaktive Sicherheit, 21.-22. März 2011, Bochum, Deutschland|
|Appears in Collections:||Presentations|
This item is protected by original copyright
All resources in the repository are protected by copyright.