research-article

Public Access

A Study of Application Sandbox Policies in Linux

Authors:

Bradley ReavesAuthors Info & Claims

SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

Pages 19 - 30

https://doi.org/10.1145/3532105.3535016

Published: 08 June 2022 Publication History

Abstract

Desktop operating systems, including macOS, Windows 10, and Linux, are adopting the application-based security model pervasive in mobile platforms. In Linux, this transition is part of the movement towards two distribution-independent application platforms: Flatpak and Snap. This paper provides the first analysis of sandbox policies defined for Flatpak and Snap applications, covering 283 applications contained in both platforms. First, we find that 90.1% of Snaps and 58.3% of Flatpak applications studied are contained by tamperproof sandboxes. Further, we find evidence that package maintainers actively attempt to define least-privilege application policies. However, defining policy is difficult and error-prone. When studying the set of matching applications that appear in both Flatpak and Snap app stores, we frequently found policy mismatches: e.g., the Flatpak version has a broad privilege (e.g., file access) that the Snap version does not, or vice versa. This work provides confidence that Flatpak and Snap improve Linux platform security while highlighting opportunities for improvement.

Supplementary Material

MP4 File (sacmat22-fp11.mp4)

A Study of Application Sandbox Policies in Linux presented by Trevor Dunlap

Download
84.59 MB

References

[1]

Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li. 2018. Precise Android API Protection Mapping Derivation and Reasoning. In Proceedings of the ACM Conference on Computer and Communications Security.

Digital Library

[2]

Faisal Al Ameiri and Khaled Salah. 2011. Evaluation of popular application sandboxing. In Proceedings of the International Conference for Internet Technology and Secured Transactions. 358--362.

[3]

A. Alexandrov, P. Kmiec, and K. Schauser. 1998. Consh: Confined Execution Environment for Internet Computations. (1998).

[4]

J. P. Anderson. 1972. Computer Security Technology Planning Study. ESDTR-73--51. Air Force Electronic Systems Division, Hanscom AFB, Bedford, MA. (Also available as Vol. I, DITCAD-758206. Vol. II DITCAD-772806).

[5]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM conference on Computer and communications security. 217--228.

Digital Library

[6]

David Barrera, H. G unes Kayacik, Paul C. van Oorshot, and Anil Somayaji. 2010. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[7]

Alexandre Bartel, Jacques Klein, Yves Le Traon, and Martin Monperrus. 2012. Automatically Securing Permission-based Software by Reducing the Attack Surface: An Application to Android. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE). 274--277.

Digital Library

[8]

Jon Brodkin. 2016. Linux's RPM/deb split could be replaced by Flatpak vs. snap. https://arstechnica.com/information-technology/2016/06/here-comes-flatpak-a-competitor-to-ubuntus-cross-platform-linux-apps/

[9]

BS4 2021. Beautiful Soup. https://www.crummy.com/software/BeautifulSoup/

[10]

Bubblewrap 2021. Bubblewrap. https://github.com/containers/bubblewrap.

[11]

Justin Cappos, Justin Samuel, Scott Baker, and John H. Hartman. 2008. A look in the mirror: attacks on package managers. In Proceedings of the ACM conference on Computer and Communications Security (CCS).

[12]

Nicholas Carlini, Adrienne Porter Felt, and David Wagner. 2012. An Evaluation of the Google Chrome Extension Security Architecture. In Proceedings of the USENIX Security Symposium.

[13]

Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor. 2000. SubDomain: Parsimonious Server Security. In Proceedings of the USENIX conference on System administration (LISA) (New Orleans, Louisiana). USENIX Association, 355--368.

[14]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android Permissions Demystified. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[15]

Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdata Akhawe, and David Wagner. 2012. How to Ask for Permission. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec).

Digital Library

[16]

Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android Permissions: User Attention, Comprehension and Behavior. In Proceedings of the Symposium on Usable Privacy and Security.

Digital Library

[17]

Flatkill 2018. Flatpak - a security nightmare. https://flatkill.org/

[18]

Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. 2008. The Evolution of System-Call Monitoring. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[19]

Vinod Ganapathy, Trent Jaeger, and Somesh Jha. 2005. Automatic Placement of Authorization Hooks in the Linux Security Modules Framework. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[20]

T. Garfinkel, B. Pfaff, and M. Rosenblum. 2004. Ostia: A Delegating Architecture for Secure System Call Interposition. In Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS).

[21]

Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. 1996. A secure environment for untrusted helper applications confining the Wily Hacker. In Proceedings of the on USENIX Security Symposium.

[22]

Flatpak Issue. 2020. Home permissions too relaxed and give full permission escalation #3637. https://github.com/flatpak/flatpak/issues/3637

[23]

Trent Jaeger, Antony Edwards, and Xiaolan Zhang. 2004. Consistency Analysis of Authorization Hook Placement in the Linux Security Modules Framework. Transactions on Information and System Security 7, 2 (May 2004), 175--205.

[24]

K. Jain and R. Sekar. 2000. User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. In Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS).

[25]

Samuel Laurén, Sampsa Rauti, and Ville Leppänen. 2017. A Survey on Application Sandboxing Techniques. In Proceedings of the International Conference on Computer Systems and Technologies.

Digital Library

[26]

Damien Legay, Alexandre Decan, and Tom Mens. 2020. On Package Freshness in Linux Distributions. CoRR abs/2007.16123 (2020). arXiv:2007.16123 https://arxiv.org/abs/2007.16123

[27]

Bill McCarty. 2004. SELinux: NSA's Open Source Security Enhanced Linux. O'Reilly Media, Inc.

[28]

James Morris, Stephen Smalley, and Greg Kroah-Hartman. 2002. Linux security modules: General security support for the linux kernel. In USENIX Security Symposium. ACM Berkeley, CA, 17--31.

[29]

John Paul. 2016. Is Ubuntu's Snap Packaging Really Secure? https://itsfoss.com/snap-package-securrity-issue/

[30]

Portal Documentation 2021. Portal Documentation. https://flatpak.github.io/xdg-desktop-portal/portal-docs.html.

[31]

Vassilis Prevelakis and Diomidis Spinellis. 2001. Sandboxing Applications. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference.

[32]

Niels Provos. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium.

[33]

PulseAudio. 2016. Access Control. https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/Developer/AccessControl/.

[34]

Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. 2012. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).

Digital Library

[35]

Jerry Saltzer and Mike Schroeder. 1975. The Protection of Information in Computer Systems. Proc. IEEE 63, 9 (Sept. 1975).

[36]

Rui Shu, Xiaohui Gu, and William Enck. 2017. A Study of Security Vulnerabilities on Docker Hub. In Proceedings of the ACM on Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

[37]

Snapcraft. 2021. Supported Interfaces. https://snapcraf t.io/docs/supported-interfaces.

[38]

Vincent F. Taylor and Ivan Martinovic. 2016. SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis. In Proceedings of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM).

[39]

Ubuntu 20.04 LTS Release Notes 2020. FocalFossa/ReleaseNotes - Ubuntu Wiki. https://wiki.ubuntu.com/FocalFossa/ReleaseNotes

[40]

Steven J. Vaughan-Nichols. 2019. The future of Linux desktop application delivery is Flatpak and Snap. https://www.zdnet.com/article/the-future-of-linux-desktop-application-delivery-is-flatpak-and-snap/

[41]

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient software-based fault isolation. In Proceedings of the fourteenth ACM symposium on Operating systems principles.

[42]

Jack Wallen. 2020. Why snap and flatpak are so important to Linux. https://www.techrepublic.com/article/why-snap-and-flatpak-are-so-important-to-linux/

[43]

Yang Wang, Jun Zheng, Chen Sun, and Srinivas Mukkamala. 2013. Quantitative Security Risk Assessment of Android Permissions and Applications. In Data and Applications Security and Privacy XXVII. Springer.

[44]

Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, and Michalis Faloutsos. 2012. Permission evolution in the Android ecosystem. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[45]

Sha Wu and Jiajia Liu. 2019. Overprivileged Permission Detection for Android Applications. In Proceedings of the IEEE International Conference on Communications.

[46]

Bennet Yee, David Sehr, Gregory Dardyk, J Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[47]

Xiaolan Zhang, Antony Edwards, and Trent Jaeger. 2002. Using CQUAL for Static Analysis of Authorization Hook Placement. In Proceedings of the USENIX Security Symposium.

Digital Library

Cited By

Niemi A(2024)Survey of Real-World Process Sandboxing2024 35th Conference of Open Innovations Association (FRUCT)10.23919/FRUCT61870.2024.10516417(520-531)Online publication date: 24-Apr-2024
https://doi.org/10.23919/FRUCT61870.2024.10516417
Vasile DKawsar FMin C(2024)Emerging Paradigms in Wearable Security: Adaptable and Secure Sandboxing for On-the-Fly Collaboration Among WearablesIEEE Security and Privacy10.1109/MSEC.2024.344019822:6(30-39)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/MSEC.2024.3440198
Cichocki GPrzyłucki S(2023)Comparative analysis of package managers Flatpak and Snap used for open-source software distributionJournal of Computer Sciences Institute10.35784/jcsi.458729(405-412)Online publication date: 29-Dec-2023
https://doi.org/10.35784/jcsi.4587

Index Terms

A Study of Application Sandbox Policies in Linux
1. Security and privacy
  1. Software and application security

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

June 2022

282 pages

ISBN:9781450393577

DOI:10.1145/3532105

General Chair:
Sven Dietrich
City University of New York
,
Program Chairs:
Omar Chowdhury
The University of Iowa
,
Daniel Takabi
Georgia State University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 June 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

SACMAT '22

Sponsor:

SIGSAC

SACMAT '22: The 27th ACM Symposium on Access Control Models and Technologies

June 8 - 10, 2022

NY, New York, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
641
Total Downloads

Downloads (Last 12 months)360
Downloads (Last 6 weeks)69

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Niemi A(2024)Survey of Real-World Process Sandboxing2024 35th Conference of Open Innovations Association (FRUCT)10.23919/FRUCT61870.2024.10516417(520-531)Online publication date: 24-Apr-2024
https://doi.org/10.23919/FRUCT61870.2024.10516417
Vasile DKawsar FMin C(2024)Emerging Paradigms in Wearable Security: Adaptable and Secure Sandboxing for On-the-Fly Collaboration Among WearablesIEEE Security and Privacy10.1109/MSEC.2024.344019822:6(30-39)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/MSEC.2024.3440198
Cichocki GPrzyłucki S(2023)Comparative analysis of package managers Flatpak and Snap used for open-source software distributionJournal of Computer Sciences Institute10.35784/jcsi.458729(405-412)Online publication date: 29-Dec-2023
https://doi.org/10.35784/jcsi.4587

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten