Computer Systems Security: Winter 2018 Assignment 4: Difference between revisions

From Soma-notes
No edit summary
Line 26: Line 26:


<ol>
<ol>
<li>Sandboxing does not refer to a specific technology; instead, it refers to the goal of isolating code so it runs within a restricted environment.  While code is often sandboxed by running it within a restricted runtime environment (e.g. browser-based JavaScript), it can also be achieved using static analysis or using OS-level isolation mechanisms (e.g., containers).<li>
<li>Sandboxing does not refer to a specific technology; instead, it refers to the goal of isolating code so it runs within a restricted environment.  While code is often sandboxed by running it within a restricted runtime environment (e.g. browser-based JavaScript), it can also be achieved using static analysis or using OS-level isolation mechanisms (e.g., containers).</li>
<li>It is harder to implement protection boundaries within a process because inside a process, we don't have access to the hardware mechanisms that operating systems use, such as user/supervisor mode and virtual memory.</ii>
<li>It is harder to implement protection boundaries within a process because inside a process, we don't have access to the hardware mechanisms that operating systems use, such as user/supervisor mode and virtual memory.</ii>
<li>System calls are a better interface for implementing security restrictions because even if an attacker gets control of a process, they cannot subvert the security policies implemented by system calls.  The logic is protected because it is in the kernel or is delegated to another process.  If protections are implemented inside functions, they can be subverted by an attacker gaining control of a process.</li>
<li>System calls are a better interface for implementing security restrictions because even if an attacker gets control of a process, they cannot subvert the security policies implemented by system calls.  The logic is protected because it is in the kernel or is delegated to another process.  If protections are implemented inside functions, they can be subverted by an attacker gaining control of a process.</li>

Revision as of 14:11, 9 April 2018

Please answer the following questions. There are 7 questions with 20 points. Submit your answers as a text or PDF file via cuLearn by April 9, 2018 at 10:00 AM. Be sure to put your name and student number at the beginning of your submission.

When answering each question, please indicate the sources of your answer. This could be a man page, your own experiments, discussion with a friend, or a website. Please list all your sources. You are allowed to collaborate; such collaboration should be clearly documented! If you already know an answer because of background knowledge you had before the class, that is fine, just state that this is the case.

Questions

  1. [1] When code runs in a "sandboxed environment" does this refer to a specific security technology? Explain briefly.
  2. [1] Why is it harder to implement protection boundaries within a process, as compared to having an operating system implement protection boundaries? Explain briefly.
  3. [1] Which is a better interface for implementing security restrictions, function/method calls or system calls? Why?
  4. [1] How do language runtimes (interpreted and just-in-time compiled) provide opportunities for enforcing security properties? Why can't binaries compiled to machine code provide the same security guarantees?
  5. [4] Firefox Pinterest save button extension:
    1. [1] What does this extension do?
    2. [1] What permissions does it need?
    3. [1] Why does it need these permissions?
    4. [1] Is it possible for the extension to perform actions unrelated to its purpose with these permissions? Explain briefly.

    Hint: Refer to Firefox's description of permissions.

  6. [4] How is iOS runtime security (see Apple's Security Whitepaper, p. 23-24) like OS virtualization, as implemented by Linux-VServer or similar systems? How is it different? Explain each and compare/contrast.
  7. [8] Define whitelists, blacklists, anomaly detection, and virtualization. For each, give an example of a security mechanism based on that strategy, briefly explaining how the strategy relates to the mechanism.

Solutions

  1. Sandboxing does not refer to a specific technology; instead, it refers to the goal of isolating code so it runs within a restricted environment. While code is often sandboxed by running it within a restricted runtime environment (e.g. browser-based JavaScript), it can also be achieved using static analysis or using OS-level isolation mechanisms (e.g., containers).
  2. It is harder to implement protection boundaries within a process because inside a process, we don't have access to the hardware mechanisms that operating systems use, such as user/supervisor mode and virtual memory.</ii>
  3. System calls are a better interface for implementing security restrictions because even if an attacker gets control of a process, they cannot subvert the security policies implemented by system calls. The logic is protected because it is in the kernel or is delegated to another process. If protections are implemented inside functions, they can be subverted by an attacker gaining control of a process.
  4. Language runtimes maintain complete control of the runtime environment, either by directly interpreting higher-level code (interpreters) or by controlling the compilation of code (JITs). Because they interpose on all code, it is straightforward to place restrictions on the behavior of code, and these restriction can only be bypassed if there are flaws in the logic of the language runtime. Compiled languages do not provide the same opportunities for enforcing security guarantees because security checking code that can be inserted into a binary is intermingled with user code; thus, flaws in user code can allow compiler-provided security-checking code to be bypassed.
    1. This extension allows one to save pages or images to Pinterest at the click of a button (as the extension summary says!).
    2. It requests "Access your data for all websites", "Download files and read and modify the browser’s download history", "Monitor extension usage and manage themes", and "Access browser tabs"
    3. It needs to access data from websites so it can grab URLs and images when they are to be saved. No idea why it needs the other permissions. (If you actually figured out what it does with these permissions you get at least one bonus mark.)
    4. It is possible for this extension to do so, so much more than pin things to your pinterest account. It can see everything that has been downloaded, change how your browser works (by changing the theme), see what other web pages are being loaded, and monitor and modify anything you see in your browser. Lots of power for a little pinning!
  5. Below is an example answer. Many other examples are acceptable; your definitions should be pretty close to those listed below.
    1. A whitelist is a list of acceptable inputs. Standard passwords are a very simple whitelist (the user's password is on the whitelist, everything else isn't).
    2. A blacklist is a list of unacceptable inputs. Anti-malware scanners implement use black lists of unacceptable executables (e.g., known malware).
    3. Anomaly detction systems detect anomalous behavior, under the assumption that anomalies are correlated with potential security violations. Credit card anti-fraud mechanisms often use anomaly detection in detecting when purchases are made from an unusual location or merchant, triggering a fraud alert.
    4. Virtualization is when access to a resource is intermediated through an abstraction. Virtual memory is (in part) a security mechanism where access to physical memory is abstracted into multiple virtual memory regions.