Computer Security: Isolation and Confinement

Questions and Answers

What is a hypervisor's security assumption regarding malware?

Malware can infect the host OS easily

Malware can escape infected VMs to other VMs

Malware is unable to affect guest applications

Malware cannot escape from the infected VM (correct)

What is a covert channel in the context of VMs?

An unintended communication channel between isolated components (correct)

A method to increase VM performance

An encrypted connection between public and classified VMs

A secure communication line within isolated VMs

How does malware communicate a bit using the example of a covert channel?

By manipulating the time of resource-intensive calculations (correct)

By altering the configuration of the hypervisor

By infecting the host OS to relay messages

By sending encrypted messages at random intervals

What challenge does a hypervisor face in ensuring security?

The need for hypervisors to not have bugs

What must a monitor do if it forks an application?

Also fork itself to monitor the forked app.

What state must a monitor maintain for the associated app?

All OS state including CWD, UID, EUID, and GID.

What is a drawback of using ptrace as a monitoring tool?

It traces all system calls, which can be inefficient.

What is one of the security problems associated with ptrace?

Race conditions leading to TOCTOU bugs.

What does seccomp-bpf allow in the Linux operating system?

Filtering of process system calls.

What happens to BPF filters when a process forks?

The child inherits all installed filters.

What input does a BPF filter utilize?

Syscall number, syscall arguments, and architecture.

What is the purpose of the prctl function in conjunction with seccomp-bpf?

To set the seccomp filtering policy for a process.

What can malware do to avoid reverse engineering?

Detect the hypervisor and refuse to run

What are some indicators that a hypervisor is present?

Time latency variances between operations

What is a common approach to detect if a webpage is running within a VM?

Measure timing variations in screen writing

What do modern hypervisors primarily aim to achieve?

Compatibility and performance

What does Software Fault Isolation (SFI) aim to achieve?

Confine applications in the same address space

What is a drawback of running applications in separate address spaces?

Slower performance due to context switches

In the context of SFI, what is the purpose of adding guards before unsafe instructions?

To ensure the integrity of the process memory

Which of the following statements is true regarding hypervisor detection?

Anomalies can reveal the existence of a hypervisor

What is the primary function of the hypervisor in a virtualized environment?

To isolate virtual machines and manage their resources

In Qubes OS, how is access to peripherals like microphone and camera controlled?

Controlled by distinct virtual machines

Which of the following statements regarding virtual machines (VMs) is true?

VMs can leak information to one another despite hypervisor isolation

What defines the structure of Qubes OS?

All applications and processes run in separate VMs

Which VM in Qubes OS is typically used to manage sensitive information like passwords?

Vault VM

What is a potential concern regarding VM isolation in cloud services?

Hypervisors may allow some information leakage between VMs

Which operating system is used as the base for running Qubes OS?

Xen hypervisor

What is one way an OS can detect if it is running on a hypervisor?

By checking for specific hypervisor signatures

What is the primary purpose of the indirect load instruction in the provided context?

To load data from a segment while validating the segment ID.

What does the register 'dr2' represent in the security model described?

The register holding the segment ID.

What is a consequence of using the address sandboxing technique?

It results in fewer instructions than segment matching.

What role does the jmp guard play in the security architecture described?

It ensures jumps do not bypass the load guard.

What is one limitation of Software Fault Isolation (SFI) mentioned in the content?

It requires an increased number of dedicated registers.

In the context of cross-domain calls, what is the purpose of the call stub?

To ensure only allowed calls are made across domains.

Which sandboxing techniques were summarized as forms of confinement?

Physical air gap, Virtual air gap, System call interposition.

What might be a practical performance impact of using Software Fault Isolation (SFI)?

Performance usually remains stable with slight slowdowns.

What is the purpose of the SECCOMP_RET_KILL option in seccomp filters?

Terminate the process immediately

What must be done before setting a BPF filter to ensure security?

Call prctl with PR_SET_NO_NEW_PRIVS

How does Docker utilize seccomp-bpf for container isolation?

By blocking specific syscalls selectively

What does the 'defaultAction' setting in Docker's seccomp filter specify?

Deny all syscalls by default

What is the effect of using the --cap-drop all flag in Docker?

It removes all capabilities from the container

Which command would you use to prevent a process in Docker from gaining privileges?

docker run --security-opt=no-new-privileges:true

What is one of the main characteristics of a virtual machine architecture?

Isolation of processes through a hypervisor

What is the role of the BPF policy when using Docker?

To specify which syscalls are allowed or denied

If a syscall is not explicitly allowed in a Docker seccomp filter, what is the default behavior?

An error is returned to the caller

Which of the following statements about seccomp-bpf is correct?

It filters syscalls to enhance security.

Study Notes

Computer Security: Isolation

• Isolation is a confinement principle in computer security.
• Isolation aims to prevent a misbehaving application from harming the rest of the system.

Running Untrusted Code

• Often need to run untrusted code (buggy code, from untrusted sites):
  • Programs from untrusted Internet sites (mobile apps, JavaScript, browser extensions)
  • Exposed applications (browser, PDF viewer, Outlook)
  • Legacy daemons (sendmail, bind)
  • Honeypots
• Goal: if an application misbehaves, kill it.

Approach: Confinement

• Confinement ensures a misbehaving application cannot harm the rest of the system.
• Can be implemented at multiple levels:
  • Hardware: Run application on isolated hardware (air gap). Difficult to manage.
  • Virtual machines: Isolate OS's on a single machine. The virtual machine monitor (hypervisor) manages the isolation.
  • Process (System Call Interposition): Isolate a process within a single operating system. This uses containers (containers isolate process).
  • Threads: Software Fault Isolation (SFI) isolates threads sharing the same address space.
  • Application level: Example of browser sandbox for JavaScript and WebAssembly.

Implementing Confinement

• Key component: Reference monitor.
  • Mediates requests from applications.
  • Enforces confinement.
  • Implements a specified protection policy.
• Must always be invoked: Every application request must be mediated.
• Tamperproof: Reference monitor cannot be killed; or if it is, the monitored process is also killed.

Example: Chroot

• To use chroot (must be root):
  • chroot /tmp/guest
  • su guest
• Adds /tmp/guest to every file system access.
• Prevents the application (e.g., web server) from accessing files outside of the jail.

Escaping from Jails

• Early escapes use relative paths to access files outside of the chroot jail.
• Chroot should be executable only by root. Otherwise, the jailed app can:
  • Create a dummy file.
  • Run chroot /aaa
  • Run su root to become root (bug).

Many Ways to Escape Jails as Root

• Create device to access raw disk.
• Send signals to non-chrooted processes.
• Reboot system.
• Bind to privileged ports.

Freebsd Jail

• Stronger than simple chroot.
• Executes with jail jail-path hostname IP-addr cmd
  • Runs hardened chroot (no "../../" escape).
  • Only binds to sockets with specified IP address and allowed ports.
  • Communicates only with processes inside the jail.
  • Limits root.

Problems with Chroot and Jail

• Coarse policies (all or nothing).
• Inappropriate for applications like web browsers (needs read access outside jail).
• Does not stop malicious apps from network access or host OS crashes.

System Call Interposition

• Sandboxing a process.

System Call Interposition Details

• Observation: To damage the host system (e.g., persistent changes), the application must make system calls.
  • To delete/overwrite files: unlink, open, write.
  • To do network attacks: socket, bind, connect, send.
• Idea: Monitor application's system calls and block unauthorized calls.
• Implementation options:
  • Completely kernel space (e.g., Linux seccomp).
  • Completely user space (e.g., program shepherding).
  • Hybrid (e.g., Systrace).

Early Implementation (Janus)

• Linux ptrace: process tracing on process calls (ptrace(..., pid_t pid,...)).
• Monitors calls and kills the application if the request is disallowed.

Example Policy

• Sample policy file (e.g., for PDF reader):
  • path allow /tmp/*
  • path deny /etc/passwd
  • network deny all
• Manually specifying can be difficult. Recommended default policies are available and can be made more restrictive as needed.

Complications

• If an application forks, the monitor must also fork.
• If the monitor crashes, the application must be killed.
• The monitor must maintain all OS state associated with the application.
  • Current working directory (CWD), UID, EUID, GID.
• When an app uses cd path, the monitor must update its CWD, otherwise relative paths will be interpreted incorrectly.

Problems with Ptrace

• Ptrace traces all system calls or none.
• Inefficient as it traces unnecessary calls.
• Cannot abort system calls without killing the application.
• Race conditions. Example: symlink (TOCTOU).

SCI in Linux: seccomp-BPF

• Linux kernel facility to filter process system calls.
• System call filters written in BPF language (using the BPF compiler).
• Used in Chromium, Docker containers.

BPF Filters (Policy Programs)

• Processes can install multiple BPF filters (all run on every system call).
• Filters cannot be removed after installation.
• Children inherit filters from parent process.
• execve erases all filters.
• Filter input: syscall number, syscall args, architecture.
• Filter returns one of:
  • SECCOMP_RET_KILL: Kills the process.
  • SECCOMP_RET_ERRNO: Returns specified error to the caller.
  • SECCOMP_RET_ALLOW: Allows the syscall.

Installing a BPF Filter

• Must be called before setting BPF filter to ensure the attacker cannot ignore or elevate privileges on subsequent execve.

Docker: Isolating Containers using seccomp-bpf

• Docker isolates containers at the process level.
• Prevents containers from making system calls filtered by seccomp-bpf.
• Allows specifying BPF policies to block many system calls, including ptrace.

Docker SysCall Filtering

• Example using a filter called filter.json

"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
    {
        "names": ["accept"],
        "action": "SCMP_ACT_ALLOW",
        "args": []
    },
    ...
]

More Docker Confinement Flags

• Specify as an unprivileged user: docker run --user www nginx
• Limit Linux capabilities: docker run --cap-drop all --cap-add NET_BIND_SERVICE nginx
• Prevent process from becoming privileged: docker run --security-opt=no-new-privileges:true nginx
• Limit resources: docker run --restart=on-failure=<max-retries> --ulimit nofile=<max-fd> --ulimit nproc=<max-proc> nginx

Confinement Via Virtual Machines

• Virtual machines isolate applications within a single hardware platform.
• The virtual machine monitor (VMM, hypervisor) manages the isolation.

Why VMs are Popular

• In the 1960s, VMs allowed multiple users to share a single computer when computers were scarce.
• In the 2000s, availability of many machines makes VM usage common for web, file, print servers, and other applications, in private and public clouds.

Hypervisor Security Assumptions

• Malware can infect guest OS and guest applications.
• But malware cannot escape from the infected VM.
• Cannot infect the host OS or other VMs on the same hardware.

Problem: Covert Channels

• Covert channel: Unintended communication channel between isolated components.
• Can leak classified data from a secure component to a public component.
• Example: Malware using time variations (CPU intensive calculations).

VM Isolation in Practice: Cloud

• VMs can run on the same machine.

VM Isolation in Practice: End-User

• Qubes OS is an example where everything runs as a VM.

Hypervisor Detection

• Can an OS detect whether it is running on a hypervisor with different applications detecting it and refusing to run in a VM to avoid reverse engineering or to protect code, including DRM.

Hypervisor Detection (Red Pill Techniques)

• VM platforms emulate simple hardware. Examples: VMWare emulating older system hardware.
• Hypervisor introduces variances in time latencies and memory cache behavior, leading to relative time variations.
• Hypervisor shares the TLB (translation lookaside buffer) with GuestOS.
• GuestOS can detect a reduced TLB size, indicating a hypervisor could be present.

Hypervisor Detection in the Browser

• Can webpages detect if they are running in a VM through varying timing performance of tasks such as UI rendering in a VM.

Hypervisor Detection (Bottom Line)

• The perfect hypervisor does not exist.
• Focus on compatibility (software) and performance (overhead).
• Anomalies may reveal hypervisor existence.

Software Fault Isolation (SFI)

• Goal is to confine applications sharing an address space.
  • Kernel modules should not corrupt the kernel.
  • Native libraries should not corrupt other components in memory like the Java virtual machine (JVM).
• Simple solution: Runs apps in separate address spaces but this may be inefficient if frequent communication between apps.
• Requires context switching per message if frequent communication is needed.
• Approches include:
  • Code and data segments.
  • Unsafe instructions (jmp, load, store).
  • At compile time, guards are added to prevent unsafe instructions.
  • When loading code, ensure guards are also loaded.
• Segment matching and address sandboxing techniques are techniques used to identify unsafe code/data from another domain.
• Problem: Jump instructions can bypass load guards.

SFI Summary

• Performance is generally good.
• SFI implementation is more difficult in other architectures like x86 because they have varying instruction length.

Confinement Summary

• Many sandboxing techniques exist: physical air gap, virtual air gap (hypervisor), System Call Interposition (SCI), Software Fault Isolation (SFI), and application-specific techniques.
• Complete isolation is often inappropriate because apps need to communicate through regulated interfaces.
• The hardest part of sandboxing is specifying the policy for what an app can and cannot do. Preventing covert channels to be exploited is another main aspect of security in sandboxing.

Description

This quiz covers the principles of isolation in computer security, exploring how confinement can prevent misbehaving applications from causing harm to a system. It discusses various methods, including hardware isolation, virtual machines, and process isolation. Test your knowledge on the approach to running untrusted code safely.