Isolating legacy applications with Lind

Matthews, Christopher James

27 March 2013

Legacy applications, often written in C, can be riddled with bugs. Sarcastically referred to as "veritable bug ranches", pre-existing legacy applications of substantial size and complexity are still commonplace. In this dissertation, I motivate, build and evaluate Lind, a sandbox for legacy applications. Lind decreases the impact of buggy programs on the system that runs them. It does this without changing their code or destroying the non-functional characteristics of the programs---such as performance, portability, light-weightedness and ease of deployment---which are the primary motivators for legacy software written in C. Lind borrows many principles of secure system design to help it isolate legacy applications so they cannot impact the rest of the system. To assess Lind, I evaluate how well legacy applications perform in Lind, how strong the isolation Lind provides is, and how easy it is to port applications to Lind---all to conclude that Lind is a viable proof-of-concept platform for legacy applications. / Graduate / 0984

Isolation

Sandboxing

Programming

Software bugs

Virtualization

A Survey of Existing Technologies to Build Next Generation Data Security.

Yekkuluri, Damodar Reddy

29 August 2019

No description available.

Computer Science

Systems Design

Data Security, Minifilters, Sandboxing,

Vyvažování zátěže v systémech pro vyhodnocování programátorských úloh / Load Balancing in Evaluation Systems for Programming Assignments

Buchar, Jan

January 2020

Systems for automated evaluation of assignments are a valuable aid for both teachers of programming courses and their students. The objective of this thesis is to examine the possibilities of deploying such systems in a large-scale distributed environment and the challenges of such endeavors. A sizable part of the requirements comes from experience with ReCodEx - an assignment evaluation system developed at the department of the supervisor. Modern server multi-core processors provide considerable computing power that can be used for assignment evaluation. However, parallel measurements can interfere with each other. This causes unstable results, which detriments the fairness of grading. Isolation (sandboxing) technologies can cause similar effects. We measure both of these influences and use the results to determine to what degree can multi-core processors be exploited. The problem of efficient distribution of work between multiple evaluation workers is complementary to that of utilizing multi-core machines. We survey scheduling algorithms and design an experiment to compare their performance. Additionally, we examine the possibility of leveraging container technologies to simplify the deployment of software required for evaluation. This leads to both a smaller administration overhead and a less complex...

Ransomware Detection Using Windows API Calls and Machine Learning

Karanam, Sanjula

31 May 2023

Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. This research builds upon the existing body of research pertaining to ransomware detection for Windows-based platforms through behavioral analysis using sandboxing techniques and classification using machine learning (ML), considering the various predefined function calls, known as API (Application Programming Interface) calls, made by ransomware and benign samples as classifying features. The primary aim of this research is to study the effect of the frequency of API calls made by ransomware samples spanning across a large number of ransomware families exhibiting varied behavior, and benign samples on the classification accuracy of various ML algorithms. Conducting an experiment based on this, a quantitative analysis of the ML classification algorithms was performed, for the frequency of API calls based input and binary input based on the existence of an API call, resulting in the conclusion that considering the frequency of API calls marginally improves the ransomware recall rate. The secondary research question posed by this research aims to justify the ML classification of ransomware by conducting behavioral analysis of ransomware and goodware in the context of the API calls that had a major effect on the classification of ransomware. This research was able to provide meaningful insights into the runtime behavior of ransomware and goodware, and how such behavior including API calls and their frequencies were in line with the MLbased classification of ransomware. / Master of Science / Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. It infects a user machine, encrypts user files or locks the user out of their machine, or both, demanding ransom in exchange for decrypting or unlocking user data. Analyzing ransomware either statically or behaviorally is a prerequisite for building detection and countering mechanisms. Behavioral analysis of ransomware is the basis for this research, wherein ransomware is analyzed by executing it on a safe sandboxed environment such as a virtual machine to avoid infecting a real-user machine, and its runtime characteristics are extracted for analysis. Among these characteristics, the various predefined function calls, known as API (Application Programming Interface) calls, made to the system by ransomware will serve as the basis for the classification of ransomware and benign software. After analyzing ransomware samples across various families, and benign samples in a sandboxed environment, and considering API calls as features, the curated dataset was fed to a set of ML algorithms that have the capability to extract useful information from the dataset to take classification decisions without human intervention. The research will consider the importance of the frequency of API calls on the classification accuracy and also state the most important APIs for classification along with their potential use in the context of ransomware and goodware to justify ML classification. Zero-Day detection, which refers to testing the accuracy of trained ML models on unknown ransomware samples and families was also performed.

Ransomware Detection

Behavioral Analysis

Windows OS

API Calls

API Call Frequency

Machine Learning

Sandboxing

Feature Importance

Intra-process Fault Isolation Using WebAssembly / Felisolering inom process med hjälp av WebAssembly

Mårtensson Tolentino, Kevin

January 2024

Software Fault Isolation (SFI) is a form of software sandboxing that refers to the technique of isolating faults such as failures and vulnerabilities to a specific area in a software system. Together with other software sandboxing techniques, SFI remains a widely used practice in many types of software, ranging from web browsers to cloud infrastructure. Therefore, there are often different requirements on throughput, latency, and resource usage that have to be met. To this end, we have evaluated the usage of WebAssembly, a virtual instruction set architecture which has a design that makes it a suitable compilation target for enforcing SFI. Our findings show that WebAssembly compared to native x86-64 code performs favorably on memory-intensive workloads, but poorly on numerically intensive workloads. However, its main strength was found to be in communication between the host environment and the sandboxed environment. We found that communication across the sandbox boundary using WebAssembly-based sandboxing was up to several orders of magnitude faster than inter-process communication methods commonly used in process-based sandboxing. Additionally, we discuss the security model of WebAssembly and how it compares to other sandboxing methods.

fault isolation

WebAssembly

intra-process

software sandboxing

Computer Sciences

Datavetenskap (datalogi)

Platforma pro virtualizaci komunikační infrastruktury / Communication infrastructure virtualization platform

Stodůlka, Tomáš

January 2020

The thesis deals with selection of infrastructure virtualization platform focusing on containerization with sandboxing support and with following examination of its difculty. The work begins with an explanation of the basic technologies such as: virtualization, cloud computing and containerization, along with their representatives, that mediate the technology. A special scope is defned for cloud computing platforms: Kubernetes, OpenStack and OpenShift. Futhermore, the most suitable platform is selected and deployed using own technique so that it fullflls all the conditions specifed by thesis supervisor. Within the difculty testing of the selected platform, there are created scripts (mainly in the Bash language) for scanning system load, creating scenarios, stress testing and automation.

Intégration de l’utilisateur au contrôle d’accès : du processus cloisonné à l’interface homme-machine de confiance / Involving the end user in access control : from confined processes to trusted human-computer interface

Salaün, Mickaël

02 March 2018

Cette thèse souhaite fournir des outils pour qu’un utilisateur puisse contribuer activement à la sécurité de son usage d’un système informatique. Les activités de sensibilités différentes d’un utilisateur nécessitent tout d’abord d’être cloisonnées dans des domaines dédiés, par un contrôle d’accès s’ajustant aux besoins de l’utilisateur. Afin de conserver ce cloisonnement, celui-ci doit être en mesure d’identifier de manière fiable les domaines avec lesquels il interagit, à partir de l’interface de sa machine. Dans une première partie, nous proposons un nouveau mécanisme de cloisonnement qui peut s’adapter de manière transparente aux changements d’activité de l’utilisateur, sans altérer le fonctionnement des contrôles d’accès existants, ni dégrader la sécurité du système. Nous en décrivons une première implémentation, nommée StemJail, basée sur les espaces de noms de Linux. Nous améliorons ce cloisonnement en proposant un nouveau module de sécurité Linux, baptisé Landlock, utilisable sans nécessiter de privilèges. Dans un second temps, nous identifions et modélisons les propriétés de sécurité d’une interface homme-machine (IHM) nécessaires à la compréhension fiable et sûre du système par l’utilisateur. En particulier, il s’agit d’établir un lien entre les entités avec lesquelles l’utilisateur pense communiquer, et celles avec lesquelles il communique vraiment. Cette modélisation permet d’évaluer l’impact de la compromission de certains composants d’IHM et d’aider à l’évaluation d’une architecture donnée. / This thesis aims to provide end users with tools enhancing the security of the system they use. First, user activities of different sensitivities require to be confined in dedicated domains by an access control fitting the user’s needs. Next, in order to maintain this confinement, users must be able to reliably identify the domains they interact with, from their machine’s interface. In the first part, we present a new confinement mechanism that seamlessly adapts to user activity changes, without altering the behavior of existing access controls nor degrading the security of the system. We also describe a first implementation named StemJail, based on Linux namespaces. We improve this confinement tool by creating a new Linux security module named Landlock which can be used without requiring privileges. In a second step, we identify and model the security properties a human-computer interface (HCI) requires for the reliable and secure understanding of the system by the user. Precisely, the goal is to establish a link between the entities with which the users think they communicate, and those with which they actually communicate. This model enables to evaluate the impact of HCI components jeopardization and helps assessing a given architecture.

Sécurité

Système d’exploitation

Contrôle d’accès

Activité utilisateur

Cloisonnement

Interface homme-machine (IHM)

Serveur d’affichage

Chemin de confiance

Security

Operating system

Access control

User activity

Confinement

Sandboxing

Human-computer interface (HCI)

Display server

Trusted path