Computer Security: Isolation Principles

Questions and Answers

What was the main advantage of using VMs in the 1960s?

They were the only type of computer available.

They replaced all physical computers.

They were faster than any physical server.

They allowed multiple users to share a single computer. (correct)

Covert channels can potentially leak classified data from a secure component to a public component.

True

What essential requirement must a hypervisor meet regarding security?

The hypervisor must protect itself and not be buggy.

Since 2000, VMs are heavily used in __________ and __________ clouds.

private, public

Match each type of server with its function:

Print server = Manages printing requests Mail server = Sends and receives emails Web server = Hosts websites File server = Stores and manages files

What is a major drawback of using chroot for application confinement?

It cannot prevent malicious apps from accessing the network.

System call interposition completely eliminates the need for user-space monitoring.

False

What command must an application make to delete or overwrite files?

unlink

The early implementation of monitoring applications in Linux used the ___ system call.

ptrace

Match the monitoring methods with their descriptions:

Linux seccomp = Completely kernel space implementation Program shepherding = Completely user space implementation Systrace = Hybrid implementation ptrace = Process tracing for monitoring

Which of the following is included in an example policy for a PDF reader?

network deny all

It is always easy to manually specify the policy for an app.

False

What is the purpose of monitoring an app's system calls?

To block unauthorized calls and protect the host system.

What is the main function of a reference monitor in a browser sandbox?

Mediating requests from applications

The reference monitor can be killed without consequences to the monitored process.

False

What command must be executed by a root user to use chroot?

chroot /tmp/guest

In a chroot environment, the application can only access files within the designated ______ directory.

guest

Match the escape method to its description:

Relative paths = Accessing files outside the jail using path traversal Creating a device = Accessing raw disk through a device Sending signals = Interacting with a non-chrooted process Rebooting system = Resetting the system to escape confinement

Which command is used to initiate a FreeBSD jail?

jail jail-path hostname IP-addr cmd

The chroot mechanism allows applications to communicate with processes outside of the jail.

False

What issue was identified with Ultrix 4.0 regarding the chroot command?

The ability for jailed applications to perform path traversal and gain root access.

Which of the following covert channels can exist in a running system?

Cache contents

A Type 1 hypervisor requires a host OS to function.

False

What is the primary purpose of a hypervisor in VM isolation?

To isolate virtual machines from each other.

Qubes OS runs on top of the _____ hypervisor.

Xen

Match the following VMs with their purpose in Qubes OS:

Vault VM = Pwd/U2F Manager Work VM = Daily work environment Whonix VM = Force all traffic through Tor Disposable VM = Temporary use for security risks

What type of OS is Qubes OS?

A desktop/laptop operating system

In Qubes OS, all access to peripherals is unregulated.

False

What feature does every window frame in Qubes OS have?

Identifies the VM source.

What is one method that malware uses to avoid reverse engineering?

Detecting the hypervisor

Hypervisors provide complete transparency in their operation.

False

What is the primary goal of Software Fault Isolation (SFI)?

To confine applications running in the same address space.

Malware web pages can detect they are running in a VM using ______ variations.

timing

Match the following hypervisor detection methods with their descriptions:

Timing latency variations = Detects hypervisor presence through operation delays Reduced TLB size = Shares Translation Lookaside Buffer with Guest OS Memory cache behavior = Analyzes differences in memory access patterns Hardware emulation = Replicates older chipsets for virtualization

Which of the following is NOT a focus of modern hypervisors?

Security

SFI runs applications in the same memory segment to improve performance.

False

What is one way hypervisors introduce time latency variances?

By managing how operations are scheduled and executed in a virtualized environment.

What does the return value SECCOMP_RET_KILL do in a BPF filter?

Kills the process

Setting the BPF filter must be done before calling prctl to ensure set-UID and set-GID are ignored.

True

What does the command 'docker run --security-opt=no-new-privileges:true nginx' prevent?

It prevents the process from becoming privileged.

The Docker command to run a container with a specific seccomp filter is '$ docker run --security-opt=______ nginx'.

seccomp=filter.json

Match the BPF actions with their descriptions.

SECCOMP_RET_ALLOW = Allow the syscall SECCOMP_RET_ERRNO = Return specified error to caller SECCOMP_RET_KILL = Kill the process

Which Linux capability prevents a process from becoming privileged?

PR_SET_NO_NEW_PRIVS

Docker containers can make any syscall without restriction.

False

What does 'SCMP_ACT_ERRNO' specify in a seccomp filter?

It specifies that the syscall will be denied by default.

In a virtualized environment, the ________ manages multiple guest operating systems.

Virtual Machine Monitor (VMM)

What can whoever starts a Docker container specify in terms of BPF policy?

The syscall filtering policy

Study Notes

Computer Security: Isolation

• Isolation is a confinement principle used in computer security.
• It's used to prevent untrusted or buggy code from harming the rest of the system.

Running Untrusted Code

• Examples of untrusted code include programs from untrusted internet sites, mobile apps, JavaScript, browser extensions, exposed applications (like browsers, PDF viewers, Outlook), and legacy daemons (like sendmail and bind).
• The goal is to contain any "misbehaving" applications to prevent harm to the system.

Confinement Approaches

• Hardware: Run untrusted applications on isolated hardware with an air gap between it and the main system. This is difficult to manage.
• Virtual Machines: Isolate different operating systems (OSes) on a single machine. A Virtual Machine Monitor (hypervisor) controls the guest OSes.
• Processes: System Call Interposition (containers) isolate a process within a single operating system.
• Threads: Software Fault Isolation (SFI) isolates threads sharing the same address space. This technique also addresses the problem of protecting against malicious code that corrupts the kernel or important system libraries.
• Application-level confinement: e.g., WebAssembly and JavaScript sandboxing in browsers.

Implementing Confinement

• Reference Monitor: A key component that mediates requests from applications. It enforces pre-defined confinement policies, and it must be invoked for every application request.
• Tamper-proof: The reference monitor must not be killed; if killed, the monitored process should also be killed.
• Example (chroot): Chroot restricts a process to a specific directory within the filesystem to prevent it from accessing files outside its assigned space. Early implementations had vulnerabilities (like relative paths). Modern systems (like FreeBSD jails) address these earlier issues.

Escaping Jails

• Early methods of escaping jails involved exploiting relative paths and leveraging vulnerabilities.
• Modern systems use robust methods to prevent escaping jails.
• Examples of methods to escape include creating dummy files in undesirable spots within the file system, using chroot and su root to gain root privileges, and exploiting syscalls like access to raw disks.

Problems with Jails

• Coarse policies (all or nothing) do not account for the need for applications to access parts of the filesystem outside their designated spaces (e.g., sending attachments).
• Applications like web browsers need specific access to external files and resources which are not normally allowed.
• Malicious applications can still try to mess with other machines or crash the host OS.

System Call Interposition

• Involves monitoring and blocking unauthorized system calls.
  • Options may be completely in kernel space (e.g. Linux seccomp), or completely in user space (program shepherding, or a combination).
• Early implementations rely on tracing all system calls through ptrace, which is shown to be inefficient and vulnerable.
• Examples: unlink, open, write, socket, bind, connect, send

Hypervisor Isolation

• Virtual Machines allow multiple applications to run in isolated sections of memory. The hypervisor (like Xen) controls the guest operating systems running in their own isolated environments.
• An essential security capability is the ability to completely isolate these VMs from one another to prevent exploits.
• One risk here is covert channels, an unintended channel between VMs. Examples include file locking/status, CPU clock timing. Virtual machines and hypervisors are frequently used in cloud computing environments, in various settings like print, mail, web and file servers.

Hypervisor Detection

• Some applications can detect if they are running in a VM environment (e.g., by observing time variations for operations or detecting a reduced TLB size).
• The perfect hypervisor doesn't exist, and today's hypervisors prioritize compatibility and performance.
• Hypervisor anomalies can still be detected to reveal the existence of the hypervisor.

Software Fault Isolation (SFI)

• Aims to confine applications running in the same address space.
• Protects the kernel and JVM from corruption by applications.
• A simple solution is to run applications in separate address spaces, but this can be slow if communication is frequent.
• A technique for partitioning a process's memory into segments, and adding guards before unsafe instructions (like jmps, load and store operations).
• Allows for cross domain calls, through the use of special stubs within the jump table.
• Limits are in place on how complex applications can run, because the number of instructions and registers needed to run specific code can create guard conditions which lead to a reduced performance.

Confinement Summary

• Core methods for sandboxing include physical air gaps, virtual air gaps (hypervisors), system calls interposition (SCI), Software Fault Isolation (SFI) and application-specific techniques like Javascript sandboxing in browsers.
• Frequent communication between applications may not be compatible with strict isolation; this means many systems must manage these needs.
• Specifying exactly which systems calls and actions are allowed, and preventing covert channels are the hardest aspects of creating a secure sandboxing environment.

Description

This quiz covers the concept of isolation in computer security, focusing on how to manage untrusted code effectively. Explore various confinement approaches including hardware isolation, virtual machines, and process isolation techniques. Test your knowledge on protecting systems from harmful applications.