ABSTRACT
File system sandboxing is a useful technique for protecting sensitive data from untrusted binaries. However, existing approaches do not allow fine-grained control over policy enforcement, require superuser privileges, or incur high performance overhead. This paper proposes SandFS, a lightweight and fine-grained file system sandboxing framework for unprivileged users and applications. We have designed SandFS as a stackable in-kernel file system that can be safely be extended at runtime from the userspace to enforce custom security policies in the kernel and offer near-native performance. With SandFS, multiple sandboxing layers could be stacked on top of each other, with each higher layer further enforcing its own policies to provide a restricted view of the lower. Our evaluation of SandFS with real-world workload shows that it imposes less than 10% performance overhead.
- Jonathan Anderson. 2017. A Comparison of Unix Sandboxing Techniques. FreeBSD Journal (2017).Google Scholar
- Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable Third-Party Library Detection in Android and its Security Applications. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). ACM, Vienna, Austria, 356--367. Google ScholarDigital Library
- Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. Boxify: Full-fledged app sandboxing for stock android. (Aug. 2015), 27--38. Google ScholarDigital Library
- Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman. 2010. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS). IEEE, San Diego, CA, 1--17.Google Scholar
- Andrew Berman, Virgil Bourassa, and Erik Selberg. 1995. TRON: Process-specific File Protection for the UNIX Operating System. In Proceedings of the 1995 USENIX Annual Technical Conference (ATC). USENIX Association, New Orleans, Louisiana, 14--14. Google ScholarDigital Library
- Theo de Raddt. 2015. pledge() a new mitigation mechanism. (2015). http://openbsd.org/papers/hackfest2015-pledge/mgp00001.htmlGoogle Scholar
- Ruian Duan, Ashish Bijlani, Meng Xu, Taesoo Kim, and Wenke Lee. 2017. Identifying Open-Source License Violation and 1-day Security Risk at Large Scale. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). ACM, Dallas, Texas, 2169--2185. Google ScholarDigital Library
- Tal Garfinkel et al. 2003. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS). IEEE, San Diego, CA, 163--176.Google Scholar
- Tal Garfinkel, Ben Pfaff, Mendel Rosenblum, et al. 2004. Ostia: A Delegating Architecture for Secure System Call Interposition. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS). IEEE, San Diego, CA, 187--201.Google Scholar
- Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. 1996. A Secure Environment for Untrusted Helper Applications Confining the Wily Hacker. In Proceedings of the 6th USENIX Security Symposium (Security). USENIX Association, San Jose, CA, 1--1. Google ScholarDigital Library
- Philip J Guo and Dawson R Engler. 2011. CDE: Using System Call Interposition to Automatically Create Portable Software Packages. In Proceedings of the 2011 USENIX Annual Technical Conference (ATC). USENIX Association, Portland, OR, 21--21. Google ScholarDigital Library
- IOVisor. 2017. eBPF: extended Berkley Packet Filter. (2017). https://www.iovisor.org/technology/ebpfGoogle Scholar
- Kapil Jain and R Sekar. 2000. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In Proceedings of the 7th Annual Network and Distributed System Security Symposium (NDSS). IEEE, San Diego, CA, 19--34.Google Scholar
- Michael B Jones. 1993. Interposition agents: Transparently interposing user code at the system interface. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (SOSP). ACM, Asheville, NC, 80--93. Google ScholarDigital Library
- Taesoo Kim and Nickolai Zeldovich. 2013. Practical and Effective Sandboxing for Non-root Users. In Proceedings of the 2013 USENIX Annual Technical Conference (ATC). USENIX Association, San Jose, CA, 139--144. Google ScholarDigital Library
- Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In Proceedings of the Winter 1993 USENIX Annual Technical Conference (ATC). USENIX Association, San Diego, CA. Google ScholarDigital Library
- Shaya Potter and Jason Nieh. 2010. Apiary: Easy-to-use Desktop Application Fault Containment on Commodity Operating Systems. In Proceedings of the 2010 USENIX Annual Technical Conference (ATC). USENIX Association, Boston, MA, 8--8. Google ScholarDigital Library
- Niels Provos. 2003. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium (Security). USENIX Association, Washington, DC, 18--18. Google ScholarDigital Library
- M. Szeredi. 2005. Filesystem in Userspace. (February 2005). http://fuse.sourceforge.netGoogle Scholar
- Bharath Kumar Reddy Vangoor, Vasily Tarasov, and Erez Zadok. 2017. To FUSE or Not to FUSE: Performance of User-Space File Systems. In 15th USENIX Conference on File and Storage Technologies (FAST) (FAST 17). USENIX Association, Santa Clara, CA, 77--90. Google ScholarDigital Library
- Robert NM Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: Practical Capabilities for UNIX. In Proceedings of the 2010 USENIX Annual Technical Conference (ATC). USENIX Association, Boston, MA, 2--2.Google Scholar
- E. Zadok, I. Bărdulescu, and A. Shender. 1999. Extending File Systems Using Stackable Templates". In Proceedings of the 1999 USENIX Annual Technical Conference (ATC). USENIX Association, Monterey, CA, 57--70. Google ScholarDigital Library
Index Terms
- A Lightweight and Fine-grained File System Sandboxing Framework
Recommendations
Control of system calls from outside of virtual machines
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingA virtual machine monitor (VMM) can isolate virtual machines (VMs) for trusted programs from VMs for untrusted ones. The security of VMs for untrusted programs can be enhanced by monitoring and controlling the behavior of the VMs with security systems ...
Fine-grained user-space security through virtualization
VEE '11This paper presents an approach to the safe execution of applications based on software-based fault isolation and policy-based system call authorization. A running application is encapsulated in an additional layer of protection using dynamic binary ...
Fine-grained user-space security through virtualization
VEE '11: Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsThis paper presents an approach to the safe execution of applications based on software-based fault isolation and policy-based system call authorization. A running application is encapsulated in an additional layer of protection using dynamic binary ...
Comments