Notes on Sandboxing Untrusted Programs -ostia ( By Anusha Pachunuri ) How to implement the monitor?

Download 6.71 Kb.

Hajmi6.71 Kb.
background image
Notes on Sandboxing Untrusted Programs -Ostia   ( By Anusha Pachunuri )

How to implement the monitor?
background image
Potential downside of this kind of approach:

 The attacker can make system calls that access kernel  and thus induce unsafe code.

Another model would be this--

For such a systemthe Policy might say something like 

Open(“/tmp/sandbox/ * ”, * )=>OK   which means that it is always okay to access any file under 

that path listing and that it can be accessed in both read or write mode.

The failsafe default  for such a design would be 


Some other points

 Policy depends on arguments of the system call. So monitor has to obtain the system call.

 Pointer to the open system call is passed to the monitor.

Monitor asks the Application memory for function call arguments.It then gets the filename from 

the Application memory.

 Now it replies with a yes or no depicting grant or ungrant of access respectively.

background image
One of the major problems would be that this kind of model would suffer from the Time of 

Check to Time Of Use bug.

TOCTTOU bug arises when the application could have multiple threads of execution .

Multiple threads of execution imply that one thread could be changing the argument to the 

‘open’ system call, the other would be accessing the function at the same time .This resulting in 

modification of the string argument.

We will hopefully address this problem in later part of the paper.

Now let us try to introduce the RPC library into the Application space

Step 3  indicates that the monitor takes argument of system calls from application and 

compares with its underlying policy.

Step 4 indicates the monitor computing the result and handing it over to the RPC library

Step 5 indicates that RPC gives the result back to the application

Instead the model can choose to follow another mechanism  wherein 

 The monitor opens the file, indicates the file number or descriptor of the file it has opened.And 

then it tells the application to copy this value somewhere in the table for application 

entries.There is assumed to be some kind of mapping between the entries in appl’n table and 

the table for the monitor

Do'stlaringiz bilan baham:

Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan © 2017
ma'muriyatiga murojaat qiling