Friday 3 June 2011

More thoughts on Sandboxing for security

From a security perspective, perhaps today's desktop operating systems are missing the point. With the increase in carefully-targeted spear-phishing attacks, we need to change our approach if we are to stop our computers being compromised.  Firewalls, content-checkers, anti-virus programs, whole-disk encryption: these are all necessary, but they are not enough.

We must assume the worst and plan accordingly.  From time to time, you or a colleague will receive malware-infected files that will get past the virus scanner.  How can we remain secure?

Given the security threats from the Internet today, I believe that all web pages, images and documents need to be be opened inside a sandbox container by default.
  • Whenever a file (web page, document, image...) is loaded onto your computer, the operating system must set a trust level for that file.   
  • Unless you raise the trust level of a file, the program that opens it must not be allowed to access your hard drive or your network connection even if the file came from someone you trust.
Issues and observations...
  • This all has the potential to get a bit klunky when you have multiple instances of the same application accessing different files at different trust levels.  But given some simple API conventions, it ought to be simple enough to make it all work smoothly if the operating system GUI is made sandbox-aware.  
  • Speed-wise, things shouldn't be too bad either, since modern OSes have "copy on write" memory management facilities that enable RAM to be shared when you're running several instances of the same program.
  • Technically it should be easy enough to store trust level of each file as "extended attributes" in the filesystem, since lots of operating systems support that.  If the OS kernel ensures that only privileged programs can change that trust level, then appropriate sandboxing settings can be enforced automatically whenever an application opens a file.
  • Email programs are problematic.  What if  a malicious email gains control of your email program?  The malware could then read your email and send email as you - so an attacker might exploit that to reset the passwords of your e-commerce accounts.  I'm not sure how we can prevent that.
My prediction for 2011 and 2012 is that sandboxing will become more common.  I've already written about some Windows and Mac sandboxing approaches.    It seems that Ubuntu Linux 11.04 and later versions now include an "easy" application sandboxing tool called Arkrose, which is built on top of the LX  Linux Containers framework - "chroot on steroids".   Here are some links...

1 comment:

Spammers: please stop wasting my time. All comments are moderated before publication.