There are many sanbox system employ BT(binary translation) to instrument application's system call. Libdetox, Vx32, Strata all belong to this type. To make decision if the program can be executed, research about policy-based system call authorization have been published. Moreover , full system virtualization, system call interposition also can isolate application.
This paper proposes a system to solve two problem that current SFI(software-based fault isolation) frameworks have. First is that sanbox can be attacked through dynamic loader.The second is that application inside sanbox must have privilege to map code into memory.
First problem presents due to complexity of loader. Current standard loader employ many functionality like debugging and call tracing. Exploiting bug of loader , privilege escape can be achieve with SUID program.
Secondary, the standard loader is responsible to map code include BT itself to memory which leaks information about BT. In addition, sanbox has no information about executable and data layout in memory.
In order to solve these two problems , this paper proposed SFI framework that replace standard loader by a lightweight secure loader and move secure loader into sandbox. Sandbox divide application into two domain, sandbox domain(secure loader and sandbox) and application domain. In sandbox domain, it can ensure only checked code loaded. Every applications run in application domain must be examined first and indirect control flow transfer will be checked by sandbox domain.
This framework have following three benefits:
- Restricting Privilege Escalation Attack
The light-weight loader will not suffer from complexity of standard loader.Without feature like debugging, backwards compatibility, secure loader only need to relocate code and thus reduce attack vector. - Protecting All Executed Application Code
All code run in application domain must use well-define API communicating to sandbox domain which can reduce attacker gathering information about loader. - Opening the Loader Black Box
With information shared by loader, sandbox can distinguish code region and data region.Therefore sandbox can provide trusted execution.
沒有留言:
張貼留言