Computer Security: Isolation and Confinement

Questions and Answers

What is a hypervisor's security assumption regarding malware?

• Malware can infect the host OS easily
• Malware can escape infected VMs to other VMs
• Malware is unable to affect guest applications
• Malware cannot escape from the infected VM (correct)

What is a covert channel in the context of VMs?

• An unintended communication channel between isolated components (correct)
• A method to increase VM performance
• An encrypted connection between public and classified VMs
• A secure communication line within isolated VMs

How does malware communicate a bit using the example of a covert channel?

• By manipulating the time of resource-intensive calculations (correct)
• By altering the configuration of the hypervisor
• By infecting the host OS to relay messages
• By sending encrypted messages at random intervals

What challenge does a hypervisor face in ensuring security?

The need for hypervisors to not have bugs (D)

What must a monitor do if it forks an application?

Also fork itself to monitor the forked app. (B)

What state must a monitor maintain for the associated app?

All OS state including CWD, UID, EUID, and GID. (D)

What is a drawback of using ptrace as a monitoring tool?

It traces all system calls, which can be inefficient. (D)

What is one of the security problems associated with ptrace?

Race conditions leading to TOCTOU bugs. (C)

What does seccomp-bpf allow in the Linux operating system?

Filtering of process system calls. (A)

What happens to BPF filters when a process forks?

The child inherits all installed filters. (B)

What input does a BPF filter utilize?

Syscall number, syscall arguments, and architecture. (C)

What is the purpose of the prctl function in conjunction with seccomp-bpf?

To set the seccomp filtering policy for a process. (A)

What can malware do to avoid reverse engineering?

Detect the hypervisor and refuse to run (C)

What are some indicators that a hypervisor is present?

Time latency variances between operations (B)

What is a common approach to detect if a webpage is running within a VM?

Measure timing variations in screen writing (A)

What do modern hypervisors primarily aim to achieve?

Compatibility and performance (B)

What does Software Fault Isolation (SFI) aim to achieve?

Confine applications in the same address space (B)

What is a drawback of running applications in separate address spaces?

Slower performance due to context switches (A)

In the context of SFI, what is the purpose of adding guards before unsafe instructions?

To ensure the integrity of the process memory (B)

Which of the following statements is true regarding hypervisor detection?

Anomalies can reveal the existence of a hypervisor (C)

What is the primary function of the hypervisor in a virtualized environment?

To isolate virtual machines and manage their resources (A)

In Qubes OS, how is access to peripherals like microphone and camera controlled?

Controlled by distinct virtual machines (B)

Which of the following statements regarding virtual machines (VMs) is true?

VMs can leak information to one another despite hypervisor isolation (A)

What defines the structure of Qubes OS?

All applications and processes run in separate VMs (C)

Which VM in Qubes OS is typically used to manage sensitive information like passwords?

Vault VM (B)

What is a potential concern regarding VM isolation in cloud services?

Hypervisors may allow some information leakage between VMs (B)

Which operating system is used as the base for running Qubes OS?

Xen hypervisor (C)

What is one way an OS can detect if it is running on a hypervisor?

By checking for specific hypervisor signatures (C)

What is the primary purpose of the indirect load instruction in the provided context?

To load data from a segment while validating the segment ID. (B)

What does the register 'dr2' represent in the security model described?

The register holding the segment ID. (D)

What is a consequence of using the address sandboxing technique?

It results in fewer instructions than segment matching. (B)

What role does the jmp guard play in the security architecture described?

It ensures jumps do not bypass the load guard. (D)

What is one limitation of Software Fault Isolation (SFI) mentioned in the content?

It requires an increased number of dedicated registers. (B)

In the context of cross-domain calls, what is the purpose of the call stub?

To ensure only allowed calls are made across domains. (A)

Which sandboxing techniques were summarized as forms of confinement?

Physical air gap, Virtual air gap, System call interposition. (C)

What might be a practical performance impact of using Software Fault Isolation (SFI)?

Performance usually remains stable with slight slowdowns. (D)

What is the purpose of the SECCOMP_RET_KILL option in seccomp filters?

Terminate the process immediately (D)

What must be done before setting a BPF filter to ensure security?

Call prctl with PR_SET_NO_NEW_PRIVS (A)

How does Docker utilize seccomp-bpf for container isolation?

By blocking specific syscalls selectively (A)

What does the 'defaultAction' setting in Docker's seccomp filter specify?

Deny all syscalls by default (A)

What is the effect of using the --cap-drop all flag in Docker?

It removes all capabilities from the container (A)

Which command would you use to prevent a process in Docker from gaining privileges?

docker run --security-opt=no-new-privileges:true (C)

What is one of the main characteristics of a virtual machine architecture?

Isolation of processes through a hypervisor (C)

What is the role of the BPF policy when using Docker?

To specify which syscalls are allowed or denied (B)

If a syscall is not explicitly allowed in a Docker seccomp filter, what is the default behavior?

An error is returned to the caller (B)

Which of the following statements about seccomp-bpf is correct?

It filters syscalls to enhance security. (A)

Flashcards

SECCOMP

A security mechanism that filters system calls made by a process, controlling what the process can do by allowing or denying specific system calls.

SECCOMP BPF filter

A type of SECCOMP filter used to restrict system calls. Its policy defines the allowed system calls and their arguments.

PR_SET_SECCOMP

A mechanism in Linux that allows setting a policy for system calls, such as allowing, denying, or returning specific errors.

prctl(PR_SET_SECCOMP)

A system call that allows a process to set a BPF filter, restricting the allowed system calls and their arguments.

PR_SET_NO_NEW_PRIVS

A way to restrict a process's ability to gain privileges through 'setuid' or 'setgid' binaries after execution.

SECCOMP_RET_KILL

A system call return specifying that the process should be terminated.

SECCOMP_RET_ERRNO

A system call return specifying that the process should receive a specified error.

SECCOMP_RET_ALLOW

A system call return specifying that the system call is allowed and should proceed.

Containers

A common approach to isolate applications and improve security by creating virtualized environments for them.

Virtual Machines (VMs)

A virtualization technology that creates isolated virtual machines on top of a host operating system.

Monitor Process

A process that closely monitors another process, ensuring its proper behavior and handling critical tasks like maintaining its operating system state. It helps isolate the monitored process and prevents it from causing harm to the system.

Forking Monitors

The process of forking, or creating a copy, of a monitor process when the monitored application forks itself. This ensures that the monitor remains in control of the forked application.

Ptrace

A powerful system call tracing tool in Linux that allows programs to inspect and manipulate the execution of other processes by monitoring their system calls.

System Call Filtering (Syscall Filtering)

The technique of restricting a process's ability to make system calls by defining a set of allowed calls. This helps enforce security policies and isolate potentially dangerous processes.

Seccomp-BPF

A Linux kernel feature that uses the BPF language to define and enforce system call filters. It allows fine-grained control over the system calls a process can make.

TOCTOU (Time-of-Check to Time-of-Use)

A security vulnerability that occurs due to a mismatch in the timing of a security check and the actual execution of a system call. This allows attackers to exploit the window between checking and execution.

BPF Filters (Policy Programs)

Programs that specify allowed system calls for a process, designed to be used with seccomp-BPF. They act as a whitelist of permitted system calls.

Multiple BPF Filters

A process can be assigned multiple BPF filters, which all apply to every system call. This ensures a layered security approach.

Inherited BPF Filters

When a process forks, or makes a copy of itself, all its BPF filters are inherited by the child process.

Preserved BPF Filters

Even after a process calls execve (executing a new program), all its BPF filters are preserved.

BPF Filter Input

BPF filters analyze information about a system call such as the syscall number, its arguments, and the processor architecture.

Chrome Renderer Process

A process that is used to render web pages in a browser. It is isolated to protect the main browser process from security vulnerabilities.

BPF Program Execution

Instructions in the BPF language are executed by the Linux Kernel. It implements the rules defined in the BPF filters to manage system calls.

Early Use of VMs

Virtual machines (VMs) were initially used to allow multiple users to share a single computer, addressing the scarcity of computers and the abundance of users in the 1960s.

Hypervisor Security Assumption

Modern hypervisors assume that malware can infect guest operating systems and applications within a VM, but it cannot escape the VM to infect the host operating system or other VMs running on the same hardware.

Covert Channel

A covert channel is an unintended communication path between isolated components, which can be exploited to leak sensitive data from a secure component to a public component.

Covert Channel in VMs

In the context of VMs, a covert channel might be used to transmit data from a classified VM to a public one, potentially by manipulating resource usage or timing patterns.

Covert Channel Example

A malicious VM might intentionally increase its CPU usage at a specific time, while a listening VM simultaneously performs a heavy computation. This synchronized action could lead to a covert channel, subtly transmitting a bit of information.

Segment Matching

A specialized hardware-based security mechanism that prevents code from accessing memory outside its designated segment.

Address Sandboxing

A technique that uses dedicated registers (dr1 and dr2) to quickly check if a memory access is within the allowed segment.

dr2 register

A dedicated register designed to hold the segment ID for a program's allocated memory.

dr1 register

A special register designed to temporarily hold the memory address being accessed.

Cross-Domain Calls

A technique that utilizes a specially crafted jump table to ensure that calls between different program domains only go through well-defined entry points.

Jump Guard

A security mechanism that prevents a program from jumping directly to a memory location that could lead to unauthorized memory access.

Software Fault Isolation (SFI)

A technique that uses software-based mechanisms to isolate programs from each other, preventing them from accessing each other's memory or resources.

Confinement

A collection of techniques used to limit the access of a program to specific resources or parts of the system.

Type 1 Hypervisor

A type 1 hypervisor runs directly on the hardware without requiring a host OS. It manages and isolates virtual machines (VMs) directly, offering a more efficient and secure isolation compared to type 2 hypervisors.

Type 2 Hypervisor

A type 2 hypervisor runs on top of a host OS, offering virtualized environments within a pre-existing operating system. It provides less direct control over hardware and may have performance limitations compared to type 1 hypervisors.

VM Isolation

VM isolation refers to the ability to separate and protect virtual machines from each other. It prevents unauthorized access and data leaks, ensuring the security and privacy of each VM instance.

Qubes OS

Qubes OS is a desktop/laptop operating system designed for security and privacy. It implements a secure environment where every application runs in a separate virtual machine, enhancing isolation and limiting potential vulnerabilities.

Disposable VM

A Disposable VM is a temporary virtual machine used for potentially dangerous tasks like opening suspicious emails or visiting untrusted websites. It helps isolate potential threats and protect the main system.

Vault VM

A Vault VM is a dedicated virtual machine used to securely store sensitive data and passwords. It provides a secure environment for managing credentials, offering protection against unauthorized access.

Whonix VM

A Whonix VM is a virtual machine designed to route all Internet traffic through the Tor network, providing enhanced anonymity and privacy. It is a powerful tool for concealing online activity.

Malware detecting hypervisors

Malicious software that can detect the presence of a hypervisor and refuse to run to avoid reverse engineering.

Hardware-dependent software in VMs

Software designed to interact directly with hardware can't operate properly within a virtual environment, causing it to refuse execution.

DRM systems and hypervisors

Digital Rights Management (DRM) systems, like those used in media playback, might block access when they detect they are running on top of a hypervisor.

Hypervisor detection (red pill techniques)

Techniques used by malware to detect the presence of a hypervisor, often relying on unexpected timings, resource allocation, and hardware behavior differences in virtual environments.

Hypervisor's emulation of hardware

Hypervisors often present a simplified and consistent hardware interface to guest operating systems, leading to predictable timing and resource patterns.

Latency variations and hypervisor detection

Differences in timing and resource allocation behavior between physical and virtual environments can expose the presence of a hypervisor.

Hypervisor detection in web browsers

Hypervisor detection techniques in web browsers, where malware might try to identify and avoid virtual environments.

The limits of hypervisor transparency

The challenge of creating a perfect hypervisor that remains undetectable by sophisticated malware and operates seamlessly.

Study Notes

Computer Security: Isolation

• Isolation is a confinement principle in computer security.
• Isolation aims to prevent a misbehaving application from harming the rest of the system.

Running Untrusted Code

• Often need to run untrusted code (buggy code, from untrusted sites):
  • Programs from untrusted Internet sites (mobile apps, JavaScript, browser extensions)
  • Exposed applications (browser, PDF viewer, Outlook)
  • Legacy daemons (sendmail, bind)
  • Honeypots
• Goal: if an application misbehaves, kill it.

Approach: Confinement

• Confinement ensures a misbehaving application cannot harm the rest of the system.
• Can be implemented at multiple levels:
  • Hardware: Run application on isolated hardware (air gap). Difficult to manage.
  • Virtual machines: Isolate OS's on a single machine. The virtual machine monitor (hypervisor) manages the isolation.
  • Process (System Call Interposition): Isolate a process within a single operating system. This uses containers (containers isolate process).
  • Threads: Software Fault Isolation (SFI) isolates threads sharing the same address space.
  • Application level: Example of browser sandbox for JavaScript and WebAssembly.

Implementing Confinement

• Key component: Reference monitor.
  • Mediates requests from applications.
  • Enforces confinement.
  • Implements a specified protection policy.
• Must always be invoked: Every application request must be mediated.
• Tamperproof: Reference monitor cannot be killed; or if it is, the monitored process is also killed.

Example: Chroot

• To use chroot (must be root):
  • chroot /tmp/guest
  • su guest
• Adds /tmp/guest to every file system access.
• Prevents the application (e.g., web server) from accessing files outside of the jail.

Escaping from Jails

• Early escapes use relative paths to access files outside of the chroot jail.
• Chroot should be executable only by root. Otherwise, the jailed app can:
  • Create a dummy file.
  • Run chroot /aaa
  • Run su root to become root (bug).

Many Ways to Escape Jails as Root

• Create device to access raw disk.
• Send signals to non-chrooted processes.
• Reboot system.
• Bind to privileged ports.

Freebsd Jail

• Stronger than simple chroot.
• Executes with jail jail-path hostname IP-addr cmd
  • Runs hardened chroot (no "../../" escape).
  • Only binds to sockets with specified IP address and allowed ports.
  • Communicates only with processes inside the jail.
  • Limits root.

Problems with Chroot and Jail

• Coarse policies (all or nothing).
• Inappropriate for applications like web browsers (needs read access outside jail).
• Does not stop malicious apps from network access or host OS crashes.

System Call Interposition

• Sandboxing a process.

System Call Interposition Details

• Observation: To damage the host system (e.g., persistent changes), the application must make system calls.
  • To delete/overwrite files: unlink, open, write.
  • To do network attacks: socket, bind, connect, send.
• Idea: Monitor application's system calls and block unauthorized calls.
• Implementation options:
  • Completely kernel space (e.g., Linux seccomp).
  • Completely user space (e.g., program shepherding).
  • Hybrid (e.g., Systrace).

Early Implementation (Janus)

• Linux ptrace: process tracing on process calls (ptrace(..., pid_t pid,...)).
• Monitors calls and kills the application if the request is disallowed.

Example Policy

• Sample policy file (e.g., for PDF reader):
  • path allow /tmp/*
  • path deny /etc/passwd
  • network deny all
• Manually specifying can be difficult. Recommended default policies are available and can be made more restrictive as needed.

Complications

• If an application forks, the monitor must also fork.
• If the monitor crashes, the application must be killed.
• The monitor must maintain all OS state associated with the application.
  • Current working directory (CWD), UID, EUID, GID.
• When an app uses cd path, the monitor must update its CWD, otherwise relative paths will be interpreted incorrectly.

Problems with Ptrace

• Ptrace traces all system calls or none.
• Inefficient as it traces unnecessary calls.
• Cannot abort system calls without killing the application.
• Race conditions. Example: symlink (TOCTOU).

SCI in Linux: seccomp-BPF

• Linux kernel facility to filter process system calls.
• System call filters written in BPF language (using the BPF compiler).
• Used in Chromium, Docker containers.

BPF Filters (Policy Programs)

• Processes can install multiple BPF filters (all run on every system call).
• Filters cannot be removed after installation.
• Children inherit filters from parent process.
• execve erases all filters.
• Filter input: syscall number, syscall args, architecture.
• Filter returns one of:
  • SECCOMP_RET_KILL: Kills the process.
  • SECCOMP_RET_ERRNO: Returns specified error to the caller.
  • SECCOMP_RET_ALLOW: Allows the syscall.

Installing a BPF Filter

• Must be called before setting BPF filter to ensure the attacker cannot ignore or elevate privileges on subsequent execve.

Docker: Isolating Containers using seccomp-bpf

• Docker isolates containers at the process level.
• Prevents containers from making system calls filtered by seccomp-bpf.
• Allows specifying BPF policies to block many system calls, including ptrace.

Docker SysCall Filtering

• Example using a filter called filter.json

"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
    {
        "names": ["accept"],
        "action": "SCMP_ACT_ALLOW",
        "args": []
    },
    ...
]

More Docker Confinement Flags

• Specify as an unprivileged user: docker run --user www nginx
• Limit Linux capabilities: docker run --cap-drop all --cap-add NET_BIND_SERVICE nginx
• Prevent process from becoming privileged: docker run --security-opt=no-new-privileges:true nginx
• Limit resources: docker run --restart=on-failure=<max-retries> --ulimit nofile=<max-fd> --ulimit nproc=<max-proc> nginx

Confinement Via Virtual Machines

• Virtual machines isolate applications within a single hardware platform.
• The virtual machine monitor (VMM, hypervisor) manages the isolation.

Why VMs are Popular

• In the 1960s, VMs allowed multiple users to share a single computer when computers were scarce.
• In the 2000s, availability of many machines makes VM usage common for web, file, print servers, and other applications, in private and public clouds.

Hypervisor Security Assumptions

• Malware can infect guest OS and guest applications.
• But malware cannot escape from the infected VM.
• Cannot infect the host OS or other VMs on the same hardware.

Problem: Covert Channels

• Covert channel: Unintended communication channel between isolated components.
• Can leak classified data from a secure component to a public component.
• Example: Malware using time variations (CPU intensive calculations).

VM Isolation in Practice: Cloud

• VMs can run on the same machine.

VM Isolation in Practice: End-User

• Qubes OS is an example where everything runs as a VM.

Hypervisor Detection

• Can an OS detect whether it is running on a hypervisor with different applications detecting it and refusing to run in a VM to avoid reverse engineering or to protect code, including DRM.

Hypervisor Detection (Red Pill Techniques)

• VM platforms emulate simple hardware. Examples: VMWare emulating older system hardware.
• Hypervisor introduces variances in time latencies and memory cache behavior, leading to relative time variations.
• Hypervisor shares the TLB (translation lookaside buffer) with GuestOS.
• GuestOS can detect a reduced TLB size, indicating a hypervisor could be present.

Hypervisor Detection in the Browser

• Can webpages detect if they are running in a VM through varying timing performance of tasks such as UI rendering in a VM.

Hypervisor Detection (Bottom Line)

• The perfect hypervisor does not exist.
• Focus on compatibility (software) and performance (overhead).
• Anomalies may reveal hypervisor existence.

Software Fault Isolation (SFI)

• Goal is to confine applications sharing an address space.
  • Kernel modules should not corrupt the kernel.
  • Native libraries should not corrupt other components in memory like the Java virtual machine (JVM).
• Simple solution: Runs apps in separate address spaces but this may be inefficient if frequent communication between apps.
• Requires context switching per message if frequent communication is needed.
• Approches include:
  • Code and data segments.
  • Unsafe instructions (jmp, load, store).
  • At compile time, guards are added to prevent unsafe instructions.
  • When loading code, ensure guards are also loaded.
• Segment matching and address sandboxing techniques are techniques used to identify unsafe code/data from another domain.
• Problem: Jump instructions can bypass load guards.

SFI Summary

• Performance is generally good.
• SFI implementation is more difficult in other architectures like x86 because they have varying instruction length.

Confinement Summary

• Many sandboxing techniques exist: physical air gap, virtual air gap (hypervisor), System Call Interposition (SCI), Software Fault Isolation (SFI), and application-specific techniques.
• Complete isolation is often inappropriate because apps need to communicate through regulated interfaces.
• The hardest part of sandboxing is specifying the policy for what an app can and cannot do. Preventing covert channels to be exploited is another main aspect of security in sandboxing.

Description

This quiz covers the principles of isolation in computer security, exploring how confinement can prevent misbehaving applications from causing harm to a system. It discusses various methods, including hardware isolation, virtual machines, and process isolation. Test your knowledge on the approach to running untrusted code safely.