Computer Systems Security: Winter 2018 Assignment 4: Difference between revisions
No edit summary |
|||
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Please answer the following questions. There are 7 questions with 20 points. Submit your answers as a text or PDF file via cuLearn by April 9, 2018 at 10:00 AM. Be sure to put your name and student number at the beginning of your submission. | |||
When answering each question, please indicate '''the sources of your answer.''' This could be a man page, your own experiments, discussion with a friend, or a website. Please list all your sources. You are allowed to collaborate; such collaboration should be clearly documented! If you already know an answer because of background knowledge you had before the class, that is fine, just state that this is the case. | |||
==Questions== | |||
<ol> | |||
<li>[1] When code runs in a "sandboxed environment" does this refer to a specific security technology? Explain briefly.</li> | |||
<li>[1] Why is it harder to implement protection boundaries within a process, as compared to having an operating system implement protection boundaries? Explain briefly.</li> | |||
<li>[1] Which is a better interface for implementing security restrictions, function/method calls or system calls? Why?</li> | |||
<li>[1] How do language runtimes (interpreted and just-in-time compiled) provide opportunities for enforcing security properties? Why can't binaries compiled to machine code provide the same security guarantees?</li> | |||
<li>[4] Firefox [https://addons.mozilla.org/en-US/firefox/addon/pinterest-pin-button/ Pinterest save button] extension: | |||
<ol style="list-style-type:lower-alpha"> | |||
<li>[1] What does this extension do? | |||
<li>[1] What permissions does it need? | |||
<li>[1] Why does it need these permissions? | |||
<li>[1] Is it possible for the extension to perform actions unrelated to its purpose with these permissions? Explain briefly. | |||
</ol> | |||
Hint: Refer to Firefox's [https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions description of permissions]. | |||
</li> | |||
<li>[4] How is iOS runtime security (see [https://www.apple.com/business/docs/iOS_Security_Guide.pdf Apple's Security Whitepaper], p. 23-24) like [https://en.wikipedia.org/wiki/Operating-system-level_virtualization OS virtualization], as implemented by [http://linux-vserver.org/Overview Linux-VServer] or similar systems? How is it different? Explain each and compare/contrast.</li> | |||
<li>[8] Define whitelists, blacklists, anomaly detection, and virtualization. For each, give an example of a security mechanism based on that strategy, briefly explaining how the strategy relates to the mechanism.</li> | |||
</ol> | |||
==Solutions== | |||
<ol> | |||
<li>Sandboxing does not refer to a specific technology; instead, it refers to the goal of isolating code so it runs within a restricted environment. While code is often sandboxed by running it within a restricted runtime environment (e.g. browser-based JavaScript), it can also be achieved using static analysis or using OS-level isolation mechanisms (e.g., containers).</li> | |||
<li>It is harder to implement protection boundaries within a process because inside a process, we don't have access to the hardware mechanisms that operating systems use, such as user/supervisor mode and virtual memory.</li> | |||
<li>System calls are a better interface for implementing security restrictions because even if an attacker gets control of a process, they cannot subvert the security policies implemented by system calls. The logic is protected because it is in the kernel or is delegated to another process. If protections are implemented inside functions, they can be subverted by an attacker gaining control of a process.</li> | |||
<li>Language runtimes maintain complete control of the runtime environment, either by directly interpreting higher-level code (interpreters) or by controlling the compilation of code (JITs). Because they interpose on all code, it is straightforward to place restrictions on the behavior of code, and these restriction can only be bypassed if there are flaws in the logic of the language runtime. Compiled languages do not provide the same opportunities for enforcing security guarantees because security checking code that can be inserted into a binary is intermingled with user code; thus, flaws in user code can allow compiler-provided security-checking code to be bypassed.</li> | |||
<li> | |||
<ol style="list-style-type:lower-alpha"> | |||
<li>This extension allows one to save pages or images to Pinterest at the click of a button (as the extension summary says!).</li> | |||
<li>It requests "Access your data for all websites", "Download files and read and modify the browser’s download history", "Monitor extension usage and manage themes", and "Access browser tabs"</li> | |||
<li>It needs to access data from websites so it can grab URLs and images when they are to be saved. No idea why it needs the other permissions. (If you actually figured out what it does with these permissions you get at least one bonus mark.)</li> | |||
<li>It is possible for this extension to do so, so much more than pin things to your pinterest account. It can see everything that has been downloaded, change how your browser works (by changing the theme), see what other web pages are being loaded, and monitor and modify anything you see in your browser. Lots of power for a little pinning!</li> | |||
</ol> | |||
<li>iOS sandboxing and Linux VServer both isolate applications so they cannot directly interact with the files and processes of other applications. With Linux VServer, a user gets what appears to be an entire Linux machine - standard files are all present in their expected locations, user accounts (including root) work as epected, and so the machine can be configured as desired support arbitrary services (e.g., web servers, databases). These services, however, are (almost) as isolated from other applications on the VServer host as they would be running on separate systems. With iOS, however, applications are clearly running in a specialized environment that allows for other applications to be observed and interacted with (in very limited, mediated ways). Further, it is possible for arbitrary apps to perform many privileged operations that can affect the entire system '''if''' they have the right entitlements (permissions encoded in a digitally signed file accompanying the app). While iOS sandboxing using many of the OS-level sandboxing techniques that Linux VServer does, it adds its own and changes the programmer-visible environment into something very different from | |||
a standard UNIX box.</li> | |||
<li>Below is an example answer. Many other examples are acceptable; your definitions should be pretty close to those listed below. | |||
<ol style="list-style-type:lower-alpha"> | |||
<li>A whitelist is a list of acceptable inputs. Standard passwords are a very simple whitelist (the user's password is on the whitelist, everything else isn't).</li> | |||
<li>A blacklist is a list of unacceptable inputs. Anti-malware scanners implement use black lists of unacceptable executables (e.g., known malware).</li> | |||
<li>Anomaly detction systems detect anomalous behavior, under the assumption that anomalies are correlated with potential security violations. Credit card anti-fraud mechanisms often use anomaly detection in detecting when purchases are made from an unusual location or merchant, triggering a fraud alert.</li> | |||
<li>Virtualization is when access to a resource is intermediated through an abstraction. Virtual memory is (in part) a security mechanism where access to physical memory is abstracted into multiple virtual memory regions.</li> | |||
</ol> | |||
</ol> |
Latest revision as of 17:10, 9 April 2018
Please answer the following questions. There are 7 questions with 20 points. Submit your answers as a text or PDF file via cuLearn by April 9, 2018 at 10:00 AM. Be sure to put your name and student number at the beginning of your submission.
When answering each question, please indicate the sources of your answer. This could be a man page, your own experiments, discussion with a friend, or a website. Please list all your sources. You are allowed to collaborate; such collaboration should be clearly documented! If you already know an answer because of background knowledge you had before the class, that is fine, just state that this is the case.
Questions
- [1] When code runs in a "sandboxed environment" does this refer to a specific security technology? Explain briefly.
- [1] Why is it harder to implement protection boundaries within a process, as compared to having an operating system implement protection boundaries? Explain briefly.
- [1] Which is a better interface for implementing security restrictions, function/method calls or system calls? Why?
- [1] How do language runtimes (interpreted and just-in-time compiled) provide opportunities for enforcing security properties? Why can't binaries compiled to machine code provide the same security guarantees?
- [4] Firefox Pinterest save button extension:
- [1] What does this extension do?
- [1] What permissions does it need?
- [1] Why does it need these permissions?
- [1] Is it possible for the extension to perform actions unrelated to its purpose with these permissions? Explain briefly.
Hint: Refer to Firefox's description of permissions.
- [4] How is iOS runtime security (see Apple's Security Whitepaper, p. 23-24) like OS virtualization, as implemented by Linux-VServer or similar systems? How is it different? Explain each and compare/contrast.
- [8] Define whitelists, blacklists, anomaly detection, and virtualization. For each, give an example of a security mechanism based on that strategy, briefly explaining how the strategy relates to the mechanism.
Solutions
- Sandboxing does not refer to a specific technology; instead, it refers to the goal of isolating code so it runs within a restricted environment. While code is often sandboxed by running it within a restricted runtime environment (e.g. browser-based JavaScript), it can also be achieved using static analysis or using OS-level isolation mechanisms (e.g., containers).
- It is harder to implement protection boundaries within a process because inside a process, we don't have access to the hardware mechanisms that operating systems use, such as user/supervisor mode and virtual memory.
- System calls are a better interface for implementing security restrictions because even if an attacker gets control of a process, they cannot subvert the security policies implemented by system calls. The logic is protected because it is in the kernel or is delegated to another process. If protections are implemented inside functions, they can be subverted by an attacker gaining control of a process.
- Language runtimes maintain complete control of the runtime environment, either by directly interpreting higher-level code (interpreters) or by controlling the compilation of code (JITs). Because they interpose on all code, it is straightforward to place restrictions on the behavior of code, and these restriction can only be bypassed if there are flaws in the logic of the language runtime. Compiled languages do not provide the same opportunities for enforcing security guarantees because security checking code that can be inserted into a binary is intermingled with user code; thus, flaws in user code can allow compiler-provided security-checking code to be bypassed.
-
- This extension allows one to save pages or images to Pinterest at the click of a button (as the extension summary says!).
- It requests "Access your data for all websites", "Download files and read and modify the browser’s download history", "Monitor extension usage and manage themes", and "Access browser tabs"
- It needs to access data from websites so it can grab URLs and images when they are to be saved. No idea why it needs the other permissions. (If you actually figured out what it does with these permissions you get at least one bonus mark.)
- It is possible for this extension to do so, so much more than pin things to your pinterest account. It can see everything that has been downloaded, change how your browser works (by changing the theme), see what other web pages are being loaded, and monitor and modify anything you see in your browser. Lots of power for a little pinning!
- iOS sandboxing and Linux VServer both isolate applications so they cannot directly interact with the files and processes of other applications. With Linux VServer, a user gets what appears to be an entire Linux machine - standard files are all present in their expected locations, user accounts (including root) work as epected, and so the machine can be configured as desired support arbitrary services (e.g., web servers, databases). These services, however, are (almost) as isolated from other applications on the VServer host as they would be running on separate systems. With iOS, however, applications are clearly running in a specialized environment that allows for other applications to be observed and interacted with (in very limited, mediated ways). Further, it is possible for arbitrary apps to perform many privileged operations that can affect the entire system if they have the right entitlements (permissions encoded in a digitally signed file accompanying the app). While iOS sandboxing using many of the OS-level sandboxing techniques that Linux VServer does, it adds its own and changes the programmer-visible environment into something very different from a standard UNIX box.
- Below is an example answer. Many other examples are acceptable; your definitions should be pretty close to those listed below.
- A whitelist is a list of acceptable inputs. Standard passwords are a very simple whitelist (the user's password is on the whitelist, everything else isn't).
- A blacklist is a list of unacceptable inputs. Anti-malware scanners implement use black lists of unacceptable executables (e.g., known malware).
- Anomaly detction systems detect anomalous behavior, under the assumption that anomalies are correlated with potential security violations. Credit card anti-fraud mechanisms often use anomaly detection in detecting when purchases are made from an unusual location or merchant, triggering a fraud alert.
- Virtualization is when access to a resource is intermediated through an abstraction. Virtual memory is (in part) a security mechanism where access to physical memory is abstracted into multiple virtual memory regions.