A Study of Security Isolation Techniques

Security isolation is a foundation of computing systems that enables resilience to different forms of attacks. This article seeks to understand existing security isolation techniques by systematically classifying different approaches and analyzing their properties. We provide a hierarchical classification structure for grouping different security isolation techniques. At the top level, we consider two principal aspects: mechanism and policy. Each aspect is broken down into salient dimensions that describe key properties. We break the mechanism into two dimensions, enforcement location and isolation granularity, and break the policy aspect down into three dimensions: policy generation, policy configurability, and policy lifetime. We apply our classification to a set of representative articles that cover a breadth of security isolation techniques and discuss tradeoffs among different design choices and limitations of existing approaches.

[1]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[2]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[3]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[5]  William R. Harris,et al.  DIFC programs by automatic instrumentation , 2010, CCS '10.

[6]  Nickolai Zeldovich,et al.  Practical and Effective Sandboxing for Non-root Users , 2013, USENIX Annual Technical Conference.

[7]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[8]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[9]  Reuben Olinsky,et al.  Composing OS extensions safely and efficiently with Bascule , 2013, EuroSys '13.

[10]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[11]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[12]  Philip Sedgwick,et al.  Control groups , 2010, BMJ : British Medical Journal.

[13]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[14]  William R. Harris,et al.  Verifying Information Flow Control over Unbounded Processes , 2009, FM.

[15]  Matti A. Hiltunen,et al.  System Call Monitoring Using Authenticated System Calls , 2006, IEEE Transactions on Dependable and Secure Computing.

[16]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[17]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  Donald E. Porter,et al.  Cooperation and security isolation of library OSes for multi-process applications , 2014, EuroSys '14.

[19]  Rodrigo Rodrigues,et al.  Enhancing the OS against Security Threats in System Administration , 2012, Middleware.

[20]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[21]  Phu H. Phung,et al.  A two-tier sandbox architecture for untrusted JavaScript , 2012 .

[22]  Vitaly Shmatikov,et al.  Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels , 2012, OSDI.

[23]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[24]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[25]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[26]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[27]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[28]  David Wagner,et al.  Janus: an Approach for Confinement of Untrusted Applications , 1999 .

[29]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[30]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[31]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[32]  David Wetherall,et al.  Upgrading transport protocols using untrusted mobile code , 2003, SOSP '03.

[33]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[34]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[35]  Zhenkai Liang,et al.  Codejail: Application-Transparent Isolation of Libraries with Tight Program Interactions , 2012, ESORICS.

[36]  Michael Backes,et al.  Boxify: Full-fledged App Sandboxing for Stock Android , 2015, USENIX Security Symposium.

[37]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[38]  Donald E. Porter,et al.  Practical techniques to obviate setuid-to-root binaries , 2014, EuroSys '14.

[39]  Kirill Kolyshkin,et al.  VIRTUALIZATION IN LINUX , 2006 .

[40]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[41]  Zhenkai Liang,et al.  AirBag: Boosting Smartphone Resistance to Malware Infection , 2014, NDSS.

[42]  Andrea C. Arpaci-Dusseau,et al.  Physical Disentanglement in a Container-Based File System , 2014, OSDI.

[43]  Cheng Chen,et al.  Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor , 2007 .

[44]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[45]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[46]  William L. Scherlis,et al.  Science of Security Hard Problems: A Lablet Perspective , 2012 .

[47]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[48]  Jason Nieh,et al.  Secure Isolation of Untrusted Legacy Applications , 2007, LISA.

[49]  Robert H. Deng,et al.  AppShield: Protecting Applications Against Untrusted Operating System , 2013 .

[50]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[51]  Peng Ning,et al.  SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms , 2011, CCS '11.

[52]  Dirk Merkel,et al.  Docker: lightweight Linux containers for consistent development and deployment , 2014 .

[53]  Kevin Borders,et al.  SVGrid: a secure virtual environment for untrusted grid applications , 2005, MGC '05.

[54]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[55]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[56]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[57]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[58]  James Mickens,et al.  Pivot: Fast, Synchronous Mashup Isolation Using Generator Chains , 2014, 2014 IEEE Symposium on Security and Privacy.

[59]  Xi Wang,et al.  Jitk: A Trustworthy In-Kernel Interpreter Infrastructure , 2014, OSDI.

[60]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[61]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[62]  Luca Cardelli,et al.  The Modula–3 type system , 1989, POPL '89.

[63]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[64]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[65]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[66]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[67]  Jon Crowcroft,et al.  Unikernels: library operating systems for the cloud , 2013, ASPLOS '13.

[68]  Ken Thompson,et al.  Plan 9 from Bell Labs , 1995 .

[69]  Xiaofeng Meng,et al.  Shuttle: Facilitating Inter-Application Interactions for OS-Level Virtualization , 2014, IEEE Transactions on Computers.

[70]  Deyu Hu,et al.  J-Kernel: A Capability-Based Operating System for Java , 2001, Secure Internet Programming.

[71]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[72]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[73]  Weiyi Wu,et al.  Deterministically Deterring Timing Attacks in Deterland , 2015, 1504.07070.

[74]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[75]  Jun Zhu,et al.  Breaking up is hard to do: security and functionality in a commodity hypervisor , 2011, SOSP.

[76]  Mike Hibler,et al.  Microkernels meet recursive virtual machines , 1996, OSDI '96.

[77]  Donghai Tian,et al.  Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions , 2011, NDSS.

[78]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[79]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[80]  Vitaly Shmatikov,et al.  TxBox: Building Secure, Efficient Sandboxes with System Transactions , 2011, 2011 IEEE Symposium on Security and Privacy.

[81]  ChiuehTzi-cker,et al.  Facilitating inter-application interactions for OS-level virtualization , 2012 .

[82]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[83]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[84]  William Enck,et al.  Preventing accidental data disclosure in modern operating systems , 2013, CCS.

[85]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[86]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[87]  James R. Larus,et al.  Sealing OS processes to improve dependability and safety , 2007, EuroSys '07.

[88]  Jon Howell,et al.  Embassies: Radically Refactoring the Web , 2013, NSDI.

[89]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[90]  George C. Necula,et al.  Compiling with proofs , 1998 .

[91]  Dilma Da Silva,et al.  Libra: a library operating system for a jvm in a virtualized execution environment , 2007, VEE '07.

[92]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[93]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[94]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[95]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[96]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[97]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[98]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[99]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[100]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[101]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[102]  Trent Jaeger,et al.  From Trusted to Secure: Building and Executing Applications That Enforce System Security , 2007, USENIX Annual Technical Conference.

[103]  Robbert van Renesse,et al.  Enforcing Privacy Policies with Meta-Code , 2015, APSys.

[104]  Miao Yu,et al.  Dancing with Giants: Wimpy Kernels for On-Demand Isolated I/O , 2014, 2014 IEEE Symposium on Security and Privacy.

[105]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[106]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[107]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[108]  Haibo Chen,et al.  Live updating operating systems using virtualization , 2006, VEE '06.

[109]  R. Sailer,et al.  sHype : Secure Hypervisor Approach to Trusted Virtualized Systems , 2005 .

[110]  Robert Tappan Morris,et al.  USENIX Association Proceedings of HotOS IX : The 9 th Workshop on Hot Topics in Operating Systems , 2003 .

[111]  Michael K. Reiter,et al.  Minimal TCB Code Execution , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[112]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[113]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[114]  William K. Robertson,et al.  PrivExec: Private Execution as an Operating System Service , 2013, 2013 IEEE Symposium on Security and Privacy.

[115]  Ralf-Philipp Weinmann,et al.  iOS Hacker's Handbook , 2012 .

[116]  F. J. Corbat INTRODUCTION AND OVERVIEW OF THE MULTICS SYSTEM , 2010 .

[117]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[118]  Miyi Duan,et al.  Poster: towards formal verification of DIFC policies , 2011, CCS '11.

[119]  William Enck,et al.  PREC: practical root exploit containment for android devices , 2014, CODASPY '14.

[120]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[121]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX ATC.