2005. Programming Languages Security - A Survey, страница 8

It does not thwartthe vulnerability or its violation, but instead tries to limit theamount of damage that a compromised component can causeto a system.Sandboxing employs the “Principle of Least Privilege” [81], according to which, an application is granted the14least possible privileges to be able to complete its job, andthe privileges are granted only for the least amount of timenecessary. It is usually implemented in two ways:rity that it introduces makes it more difficult for an attacker togain unwarranted access.systrace is distributed under a BSD-style license andships by default with NetBSD, OpenBSD and OpenDarwin.There are also ports for Mac OS X (currently unmaintained),FreeBSD, and Linux.• Seclusion of faults: guarantees that when a programcomponent fails, it will not result in total system failure. Address spaces of different modules are usually keptseparate to enforce fault isolation, however for tightlycoupled modules this incurs substantial execution overhead, due to costly context switches and inter-modulecommunication.SFIThe Software-based Fault Isolation [95] approach implements fault isolation using a single address space.

Thisnegates the need for context switches and allows for cheaperinter-module communication, but increases execution time.Only distrusted modules warrant an execution time overhead.Code in trusted domains execute unvaried.The approach has two parts. First, a distrusted module’scode and data is loaded into its own fault domain – a logicallydifferentiated section of the application’s address space, comprising a contiguous region of memory. Each fault domainhas a unique identifier which is used to mandate its access toprocess resources.A fault domain is split up into two segments, one forthe code of the distrusted module and the other for its staticdata, heap and stack.

All virtual addresses within a segmentshare a distinct pattern of upper bits, called the segmentidentifier. Second, the distrusted module’s object codeis instrumented to prevent it from writing or jumping to anaddress outside its fault domain.

Such isolated modules arenot capable of modifying “each other’s data or executing eachother’s code except through an explicit cross-fault-domainRPC interface” [95].This isolation is enforced using two techniques:• Imposition of a policy: a policy is defined and enforced,stating categorically what an application is allowed andprohibited from doing. The enforcement is usually donevia a reference monitor where an application’s access tospecific resources is regulated.The main drawback of this type of countermeasure is thatit requires a well-reasoned, comprehensive policy regardingwhat can and cannot be accessed.

Creation of such a policyusually requires a detailed understanding of the programbeing sandboxed. A further problem with policy-based sandboxing technologies is that they are not broadly portable [92].Systracesystrace [88] is a utility that audits and regulates anapplication’s access to a system by generating and enforcingaccess policies for system calls.

It obviates the requirementto run a program in a completely privileged mode. Usingsystrace, programs can be run unprivileged but are provided with facilities for privilege elevation when required. Aconfigurable policy determines which operations can be executed with elevated privileges [71].systrace is especially useful when running untrustedbinary-only applications, the access of these applications tothe system can be sandboxed, increasing the system’s total security.The policy specifies the behavior desired of applicationson a system call level basis. With systrace, a user can decide which programs can make which system calls and howthose calls can be made. Policy generation is possible eitherautomatically – a base policy is generated, containing all thesystem calls the application wishes to make, this list can laterbe refined; or interactively – the user decides whether an attempt to execute a system call that is not described by thecurrent policy can be performed during program execution.Operations that are not explicitly permitted by the policy aredenied by systrace.

Such operation denials are logged andthe user can decide whether he wants to add it to the presentlyconfigured policy or not.Like most existing utilities and tools systrace does notguarantee complete security, but the additional layer of secu-1. Segment matching inserts checking code before everyunsafe instruction i.e. an instruction that jumps or writesto an address that cannot be statically verified to be in theright segment. The checking code decides if the targetaddress of the unsafe instruction has the correct segmentidentifier. If the check is unsuccessful, an error will bereported. This technique allows the programmer to exactly locate the violating instruction.2.

Address sandboxing attempts to reduce the overhead associated with enforcing SFI, by providing no informationon the source of faults. Every unsafe instruction is preceded with inserted code, that sets the upper bits of thetarget address to the correct segment identifier. Writablememory is allowed to be shared across fault domains,using a technique called lazy pointer swizzling: for eachaddress space segment that requires access, the page tables are modified so as to map the shared memory at thesame offset.15These techniques make it more difficult for malicioususers to exploit memory address vulnerabilities.cached code proceed with no security overhead. This leadsto efficient execution.The program shepherding authors point out that programshepherding could be used to allow services provided by theoperating system to be moved to more efficient user-level libraries.They cite the Exokernel [24] class of operating systems asan example, here program shepherding could enforce uniqueentry points to the unprivileged libraries that provide the normal operating system operations, thereby giving users efficient control of system resources without sacrificing security.The DynamoRio binary package can be downloaded fromthe DynamoRIO Release website [23].

It is beta software andis supported on the following platforms: Linux (RedHat 7.2,RedHat Enterprise Linux WS 3, Fedora Core 2, Fedora Core3) and Windows (NT, XP, 2003, 2000).Program shepherdingProgram shepherding [47] is a technique that inspects allexecution-flow transfers throughout program execution to assure that each respects a given security policy. The focus is onpreventing transfer of control to malicious code, thereby preventing a wide range of security attacks.

For example, bufferoverflow attacks are prevented, as a successful attack wouldneed a control-flow transfer that would violate the securitypolicy.Program shepherding can also be used to disallow execution of shared library code except through declared entrypoints, and can ascertain that a return instruction only returnsto the instruction after the point of the call.Program shepherding is implemented via three techniques:• Execution privileges restricted based on code origins:this can ensure that malicious code disguised as data isnever executed. Code origins are checked against a security policy to see if it should be granted or denied executeprivileges. Code origins are sorted based on whether it isfrom the original image on disk and unmodified, dynamically generated but unmodified since generation or codethat has been modified .4.4Compiler TechniquesThe compiler plays a crucial role in determining the executionenvironment of a program.

Numerous modifications to overcome security vulnerabilities in programs can be made in thecompiler, without necessitating change in the programminglanguage in which the programs are developed [100]. Thesetechniques generally work by performing bounds checking onC programs. The drawback however is that performance critical pointer-intensive programs will be considerably sloweddown [56].To use these tools the compiler usually needs to be patchedwith them. The protection offered by these tools can then beenabled or disabled via specific flags.• Limited transfer control : this denies attackers the possibility of branching directly to their code and executing it,shunting any sanity checks that might have been requiredto be performed before that code was executed. Enforcing the execution model involves allowing each branchto jump only to a specified set of targets.SCC: The Safe C CompilerSCC [2] is a C source-level program transformation system which includes checks for all pointer and array accessesso as to provide efficient detection of memory access errors inunchecked C code.

The technique is to have safe pointer representation by using a data structure that contains safety information to model pointers; and by inserting run-time checks.A safe pointer contains the value of the pointer along withsupplementary information called object attributes. Suchattributes include, base address, size of the memory objectin bytes, storage class (heap, local or global) and capability:a unique identifier for the storage allocation of dynamicallyallocated variables.• Un-Bypassable Sandboxing: shepherding guaranteesthat sandboxing checks placed around any type of program operation will never be dodged.