Security/Automation/Winter Of Security 2015/MIG Agent Sandboxing

From MozillaWiki
Jump to navigation Jump to search
WinterOfSecurity logo light horizontal.png

Team

Introduction

Although we have the same main interest with security, low-level programming and binary hacking, we are diverse in the projects and skills we have developed, each having an unique skill set. We also value open source a lot and want to make our term project a useful contribution to the community. Finally, as our master program is heavily connected to security topics and as we are interested in security and low-level programming, we are be happy to be part of the Mozilla Winter of Security program.

Members

  • Teodora Băluță
  • Vladimir Diaconescu
  • Constantin-Alexandru Tudorică
  • University Advisor: Răzvan Deaconescu
  • Mozilla Advisors: Aaron Meihm, Guillaume Destuynder

Project

Mozilla InvestiGator (MIG) is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The agent currently runs as root in order to run investigation modules that have low-level access to the system. The goal of this project is to sandbox the MIG Agent on Linux in a way that allows each part to perform investigative work while having as little privileges as possible. The team will have to use the Linux Seccomp mechanism, and the existing Go library, to implement a sandbox in the Agent. If possible, the team will also evaluate sandboxing on MacOS and Windows.

Success Criteria

This project is successful if it provides an implementation which successfully manages to sandbox the MIG Agent, via the Go language and Seccomp library. The targeted operating system is Linux, with MacOS and Windows as possible objectives to be considered.

Roadmap

  1. Investigation:
    • Go language beyond the basics
    • Building, deploying and running MIG
    • Digging into MIG; MIG internals, architecture
    • Investigate Windows and Mac OS X sandboxing solutions
  2. Design:
    • Aim for generic sandboxing solution (portable, working on multiple sandboxing "back-ends")
    • Create generic sandbox requirements for MIG agent: filesystem access, network
    • Create a whitelist approach for creating a sandbox profile
    • Decide on sandbox applying flow for MIG agent; what is the flow for a MIG agent to run inside the sandbox (fork, exec, scripts, wrapper calls etc.)
  3. Implementation:
    • Implement minimal sandbox for Linux seccomp using Go
    • (optional) Port/implement sandbox for Mac OS X, Windows
  4. Testing and Evaluation:
    • Measure resource consumption and overhead
    • Validate implementation using existing unit tests
    • Investigate ways of validating sandboxed apps: is an app running correctly when compared to a sandboxed app

Updates

6 October

  • Looked into what syscalls are called after the modules are initialised and found out that Go calls unusual syscalls on other threads (openat, smmap, mprotect, clone,..)

13 October

  • Looked into sleeping the thread up to 30 seconds to see if the Go syscalls stop. They don't.
  • Looked into calling the file module

20 October

Plan

  • Make a small (hackish) whitelisting of the syscalls using seccomp on the ping module
  • Look into how the sandboxing profile should be structured (JSON)
  • A small diagram of how the sandboxing package integrates in MIG
  • (optional) investigate differences of SECCOMP between kernel 2.x, 3.x and 4.x -> only research purpose, since we are aiming for 3.x compatibility

Status Update

  • Teo: To provide an informal proposal regarding the way the generic sandboxing API/functionality should look like.
    • Teo: To show the small diagram of integrating sandboxing into MIG.
  • Alex: Present a "quick and dirty" whitelist sandbox implementation.

Meeting Agenda

  • Status update
  • Feedback on informal proposal (for generic functionality)
  • Input regarding application failure in case of the unlikely situation when the profile is unsuitable or the application is malicious.
  • Talk about meeting reschedule (maybe Tuesday, earlier).

27 October

Plan

  • Alex to look into how we can return nice formatted errors from the module when the sandbox blocks a syscall.
  • Teo to provide update on her open source publishing permission from Intel.
  • Teo to provide a small diagram on runtime behavior of the sandboxing module.
  • Teo to provide a class-like diagram for the sandboxing profile.
  • Start constructing the sandboxing profile: parameters, arguments.

Status Update

  • TODO

Meeting Agenda

  • TODO
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Automation/Winter_Of_Security_2015/MIG_Agent_Sandboxing&oldid=1101547"