程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Tien-Duy B. Le,Lingfeng Bao,David Lo,Debin Gao,Li

DOI: https://doi.org/10.1109/iceccs2018.2018.00014

2018-01-01

Abstract:Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase - occurring, for example, due to malicious code injection during an attack - can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

Lingfeng Bao,Tien-Duy B. Le,David Lo

DOI: https://doi.org/10.1109/saner.2018.8330231

2018-01-01

Abstract:The popularity of Android platform on mobile devices has attracted much attention from many developers and researchers, as well as malware writers. Recently, Jamrozik et al. proposed a technique to secure Android applications referred to as mining sandboxes. They used an automated test case generation technique to explore the behavior of the app under test and then extracted a set of sensitive APIs that were called. Based on the extracted sensitive APIs, they built a sandbox that can block access to APIs not used during testing. However, they only evaluated the proposed technique with benign apps but not investigated whether it was effective in detecting malicious behavior of malware that infects benign apps. Furthermore, they only investigated one test case generation tool (i.e., Droidmate) to build the sandbox, while many others have been proposed in the literature. In this work, we complement Jamrozik et al.'s work in two ways: (1) we evaluate the effectiveness of mining sandboxes on detecting malicious behaviors; (2) we investigate the effectiveness of multiple automated test case generation tools to mine sandboxes. To investigate effectiveness of mining sandboxes in detecting malicious behaviors, we make use of pairs of malware and benign app it infects. We build a sandbox based on sensitive APIs called by the benign app and check if it can identify malicious behaviors in the corresponding malware. To generate inputs to apps, we investigate five popular test case generation tools: Monkey, Droidmate, Droidbot, GUIRipper, and PUMA. We conduct two experiments to evaluate the effectiveness and efficiency of these test case generation tools on detecting malicious behavior. In the first experiment, we select 10 apps and allow test case generation tools to run for one hour; while in the second experiment, we select 102 pairs of apps and allow the test case generation tools to run for one minute. Our experiments highlight that 75.5%-77.2% of malware in our dataset can be uncovered by mining sandboxes - showing its power to protect Android apps. We also find that Droidbot performs best in generating test cases for mining sandboxes, and its effectiveness can be further boosted when coupled with other test case generation tools.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Xia Zhou,Yujie Bu,Meng Xu,Yajin Zhou,Lei Wu

DOI: https://doi.org/10.1109/tdsc.2024.3454421

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Multicore embedded systems employ a big.LITTLE architecture to combine different cores into a single microcontroller (MCU). However, resources sharing among cores raises security challenges. Once LITTLE cores (which often receive external inputs) are compromised, the whole system will be affected. Existing hardware-assisted isolation approaches use privilege separation and code instrumentation to enforce memory isolation, which suffer from inefficiencies. This paper presents u BOX , a lightweight sandbox for multicore embedded systems. The goal of u BOX is to enforce memory isolation over untrusted software (on LITTLE cores) at the same privileged level. Specifically, it uses the Memory Protection Unit (MPU) to restrict memory access by untrusted software. To protect sandbox policies, u BOX deprives the write capability of untrusted software towards MPU configurations by replacing its regular store instructions with unprivileged counterparts. Additionally, to protect u BOX 's necessary regular store instructions from being abused, u BOX 's memory is set to read-only and non-executable when running untrusted software. For the normal operation of u BOX , we use an overlooked feature of the MPU and develop secure gates that quickly disable and re-enable the MPU, allowing u BOX to execute at a permissive memory view. Our evaluation demonstrates that u BOX effectively enforces isolation with average 1.27% runtime overhead, 0.83X Flash overhead, and 36.50X SRAM overhead.

Helei Cui,Yajin Zhou,Cong Wang,Xinyu Wang,Yuefeng Du,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2019.2937783

2020-01-01

Abstract:Safe Browsing (SB) is an important security feature in modern web browsers to help detect new unsafe websites. Although useful, recent studies have pointed out that the widely adopted SB services, such as Google Safe Browsing and Microsoft SmartScreen, can raise privacy concerns since users' browsing history might be subject to unauthorized leakage to service providers. In this paper, we present a Privacy-Preserving Safe Browsing (PPSB) platform. It bridges the browser that uses the service and the third-party blacklist providers who provide unsafe URLs, with the guaranteed privacy of users and blacklist providers. Particularly, in PPSB, the actual URL to be checked, as well as its associated hashes or hash prefixes, never leave the browser in cleartext. This protects the user's browsing history from being directly leaked or indirectly inferred. Moreover, these lists of unsafe URLs, the most valuable asset for the blacklist providers, are always encrypted and kept private within our platform. Extensive evaluations using real datasets (with over 1 million unsafe URLs) demonstrate that our prototype can function as intended without sacrificing normal user experience, and block unsafe URLs at the millisecond level. All resources, including Chrome extension, Docker image, and source code, are available for public use.

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

Quan Zhang,Chijin Zhou,Yiwen Xu,Zijing Yin,Mingzhe Wang,Zhuo Su,Chengnian Sun,Yu Jiang,Jiaguang Sun

DOI: https://doi.org/10.1145/3622842

2023-01-01

Proceedings of the ACM on Programming Languages

Abstract:Attack surface reduction is a security technique that secures the operating system by removing the unnecessary code or features of a program. By restricting the system calls that programs can use, the system call sandbox is able to reduce the exposed attack surface of the operating system and prevent attackers from damaging it through vulnerable programs. Ideally, programs should only retain access to system calls they require for normal execution. Many researchers focus on adopting static analysis to automatically restrict the system calls for each program. However, these methods do not adjust the restriction policy along with program execution. Thus, they need to permit all system calls required for program functionalities. We observe that some system calls, especially security-sensitive ones, are used a few times in certain stages of a program’s execution and then never used again. This motivates us to minimize the set of required system calls dynamically. In this paper, we propose , which gradually disables access to unnecessary system calls throughout the program’s execution. To accomplish this, we utilize partial order analysis to transform the program into a partially ordered graph, which enables efficient identification of the necessary system calls at any given point during program execution. Once a system call is no longer required by the program, can restrict it immediately. To evaluate , we applied it to seven widely-used programs with an average of 615 KLOC, including web servers and databases. With partial order analysis, restricts an average of 23.50, 16.86, and 15.89 more system calls than the state-of-the-art Chestnut, Temporal Specialization, and the configuration-aware sandbox, C2C, respectively. For mitigating malicious exploitations, on average, defeats 83.42% of 1726 exploitation payloads with only a 5.07% overhead.

Soo Yee Lim,Xueyuan Han,Thomas Pasquier

2023-08-15

Abstract:For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

Operating Systems,Cryptography and Security

Jinghao Jia,YiFei Zhu,Dan Williams,Andrea Arcangeli,Claudio Canella,Hubertus Franke,Tobin Feldman-Fitzthum,Dimitrios Skarlatos,Daniel Gruss,Tianyin Xu

DOI: https://doi.org/10.48550/arXiv.2302.10366

2023-02-21

Abstract:System call filtering is a widely used security mechanism for protecting a shared OS kernel against untrusted user applications. However, existing system call filtering techniques either are too expensive due to the context switch overhead imposed by userspace agents, or lack sufficient programmability to express advanced policies. Seccomp, Linux's system call filtering module, is widely used by modern container technologies, mobile apps, and system management services. Despite the adoption of the classic BPF language (cBPF), security policies in Seccomp are mostly limited to static allow lists, primarily because cBPF does not support stateful policies. Consequently, many essential security features cannot be expressed precisely and/or require kernel modifications. In this paper, we present a programmable system call filtering mechanism, which enables more advanced security policies to be expressed by leveraging the extended BPF language (eBPF). More specifically, we create a new Seccomp eBPF program type, exposing, modifying or creating new eBPF helper functions to safely manage filter state, access kernel and user state, and utilize synchronization primitives. Importantly, our system integrates with existing kernel privilege and capability mechanisms, enabling unprivileged users to install advanced filters safely. Our evaluation shows that our eBPF-based filtering can enhance existing policies (e.g., reducing the attack surface of early execution phase by up to 55.4% for temporal specialization), mitigate real-world vulnerabilities, and accelerate filters.

Operating Systems,Cryptography and Security

Qiang Zeng,Zhi Xin,Dinghao Wu,Peng Liu,Bing Mao

2013-01-01

Abstract:The system call interface defines the services an operating system kernel provides to user space programs. An operating system usually provides a uniform system call interface to all user programs, while in practice no programs utilize the whole set of the system calls. Existing system call based sandboxing and intrusion detection systems focus on confining program behavior using sophisticated finite state or pushdown automaton models. However, these automata generally incur high false positives when modeling program behavior such as signal handling and multithreading, and the runtime overhead is usually significantly high. We propose to use a stateless model, a whitelist of system calls needed by the target program. Due to the simplicity we are able to construct the model via static analysis on the program’s binary with much higher precision that incurs few false positives. We argue that this model is not “trivial” as stated by Wagner and Dean. We have validated this hypothesis on a set of common benign benchmark programs against a set of real-world shellcode, and shown that this simple model is, instead, very effective in preventing exploits. The model, encoded as an per-process tailored system call table, incurs virtually no runtime overhead, and should be practical to be deployed to enhance application and system security.

Maysara Alhindi,Joseph Hallett

2024-05-14

Abstract:Sandboxing mechanisms allow developers to limit how much access applications have to resources, following the least-privilege principle. However, it's not clear how much and in what ways developers are using these mechanisms. This study looks at the use of Seccomp, Landlock, Capsicum, Pledge, and Unveil in all packages of four open-source operating systems. We found that less than 1% of packages directly use these mechanisms, but many more indirectly use them. Examining how developers apply these mechanisms reveals interesting usage patterns, such as cases where developers simplify their sandbox implementation. It also highlights challenges that may be hindering the widespread adoption of sandboxing mechanisms.

Software Engineering,Cryptography and Security

Liwei Guo,Tiantu Xu,Mengwei Xu,Xuanzhe Liu,Felix Xiaozhu Lin

DOI: https://doi.org/10.1145/3190508.3190533

2018-01-01

Abstract:Many apps benefit from knowing their power consumption and adapting their behaviors on the fly. To offer apps power knowledge at run time, an OS often meters system power and divides it among apps. Since the impacts of concurrent apps on system power are entangled, this approach not only makes it difficult to reason about power but also results in power side channels, a serious vulnerability. To this end, we introduce a new OS principal called power sandbox, which enables one app to observe the fine-grained power consumption of itself running in its vertical slice of the hardware/software stack. The observed power is insulated from the impacts of other apps. Our contribution is a set of lightweight kernel extensions that simultaneously i) enforce the power sandbox boundaries and ii) confine entailed performance loss to the sandboxed apps. Our experiences on two embedded platforms show that power sandboxes simplify reasoning about power, maintain fairness among apps, and minimize power side channels, thus facilitating construction of power-aware apps.

Jiadong Sun,Xia Zhou,Wenbo Shen,Yajin Zhou,Kui Ren

DOI: https://doi.org/10.1145/3374664.3375734

2020-01-01

Abstract:Stack canary is the most widely deployed defense technique against stack buffer overflow attacks. However, since its proposition, the design of stack canary has very few improvements during the past 20 years, making it vulnerable to new and sophisticated attacks. For example, the ARM64 Linux kernel is still adopting the same design with StackGuard, using one global canary for the whole kernel. The x86_64 Linux kernel leverages a better design by using a per-task canary for different threads. Unfortunately, both of them are vulnerable to kernel memory leaks. Using the memory leak bugs or hardware side-channel attacks, e.g., Meltdown or Spectre, attackers can easily peek the kernel stack canary value, thus bypassing the protection. To address this issue, we proposed a fine-grained design of the kernel stack canary named PESC, standing for Per-System-Call Canary, which changes the kernel canary value on the system call basis. With PESC, attackers cannot accumulate any knowledge of prior canary across multiple system calls. In other words, PESC is resilient to memory leaks. Our key observation is that before serving a system call, the kernel stack is empty and there are no residual canary values on the stack. As a result, we can directly change the canary value on system call entry without the burden of tracking and updating old canary values on the kernel stack. Moreover, to balance the performance as well as the security, we proposed two PESC designs: one relies on the performance monitor counter register, termed as PESC-PMC, while the other one uses the kernel random number generator, denoted as PESC-RNG. We implemented both PESC-PMC and PESC-RNG on the real-world hardware, using HiKey960 board for ARM64 and Intel i7-7700 for x86_64. The synthetic benchmark and SPEC CPU2006 experimental results show that the performance overhead introduced by PESC-PMC and PESC-RNG on the whole system is less than 1%.

Liwei Guo,Tiantu Xu,Mengwei Xu,Xuanzhe Liu,Felix Xiaozhu Lin

DOI: https://doi.org/10.1145/3190508.3190533

2018-01-01

Abstract:Many apps benefit from knowing their power consumption and adapting their behaviors on the fly. To offer apps power knowledge at run time, an OS often meters system power and divides it among apps. Since the impacts of concurrent apps on system power are entangled, this approach not only makes it difficult to reason about power but also results in power side channels, a serious vulnerability.

Jinqian Liang,Xiaohong Guan

2007-01-01

Abstract:A widely used technique for detecting malicious code is to execute potential malicious applications inside protection domains that enforce established security policies. These containers often referred to as sandboxes, come in a variety of forms. This paper presents a novel sandbox that can protect computer system from destruction while malicious code running. Our solution provides a general-purpose virtual environment for executing the untrusted applications. In this environment, malicious code has no opportunity to destroy the data in the storage devices or propagate itself through the network. Algorithms for protecting the disk data and simulating the network are given, and the experimental results of the sandbox are discussed.

Chengyu Song,Chao Qin,Jianwei Zhuge,Zhiyin Liang,Zhiyuan Ye

2009-01-01

Abstract:Malware is a major threat to the cyber world and the number of unique malware samples captured by antivirus software venders is making an explosive growth in recent years. To improve the malware analysis efficiency, researchers have developed several automated coarse-grained dynamic malware analysis systems, including Norman Sandbox, CWSandbox and TTAnalyze, etc. However, these systems' analysis capabilities still cannot compare with the growth of malware, because they rely on heavy virtual machines to build malware execution environments. To further improve the efficiency, this paper analyzes the bottlenecks in these systems and proposes two mechanisms, flash revert and VM fork to reduce the found overheads. Experiments on an OS-level VMM based prototype implementation (MwSandbox) show that the efficiency is improved at least an order of magnitude without losing analysis quality.

Chenglin Xie,Yujie Guo,Shaosen Shi,Yu Sheng,Xiarun Chen,Chengyang Li,Weiping Wen

DOI: https://doi.org/10.1109/trustcom53373.2021.00099

2021-01-01

Abstract:Sandbox is an excellent tool for dynamic malware analysis. However, the sandbox detection techniques are increasingly adopted to develop malwares, which has been a significant threat to sandbox analysis. These malwares can detect the running environment and show different behaviors in corresponding environments. So far, there have been several studies about countermeasures, but most of them concentrate on Windows OS. Environmental features in Linux sandbox have not been summarized yet. Besides, existing popular sandboxes can hardly combat against sandbox detecting techniques. In this paper, we focus on Linux sandbox. We firstly propose Linux environmental features from six aspects and implement an effective tool to collect features from running environment to tell the discrepancy among physical machine, virtual machine and sandbox. More importantly, we present EnvFaker, an effective method to reinforce Linux sandbox against environmental-sensitive malware. This method uses tracer to track child process and injected process, filters to intercept sandbox detecting behaviors, and emulator to disguise wear-and-tear and network environment. The experimental results further demonstrate that our method is effective against detecting techniques for Linux sandbox.

Zhiyuan Wan,David Lo,Xin Xia,Liang Cai

DOI: https://doi.org/10.1007/s10664-019-09737-2

IF: 3.762

2019-01-01

Empirical Software Engineering

Abstract:A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container’s access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine a sandbox for each of the containers. The estimation of system call coverage of sandbox mining ranges from 96.4% to 99.8% across the containers under the limiting assumptions that the test cases are complete and only static system/application paths are used. The enforcement of mined sandboxes incurs low performance overhead. The mined sandboxes effectively reduce the attack surface of containers and can prevent the containers from security breaches in reality.

Antonio Nappa,Panagiotis Papadopoulos,Matteo Varvello,Daniel Aceituno Gomez,Juan Tapiador,Andrea Lanzi

DOI: https://doi.org/10.48550/arXiv.2109.02979

2021-10-06

Abstract:Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to <a class="link-external link-http" href="http://detect.The" rel="external noopener nofollow">this http URL</a> most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

Cryptography and Security