M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
-
Upload
gregory-lloyd -
Category
Documents
-
view
219 -
download
0
Transcript of M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
![Page 1: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/1.jpg)
M. Alexander Helen J. Wang Yunxin Liu
Microsoft Research
1
Presented by Zhaoliang Duan
![Page 2: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/2.jpg)
2
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 3: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/3.jpg)
3
![Page 4: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/4.jpg)
4
Sandbox runs programs in an isolated space which prevents them from making permanent changes to other programs and data in computer.
From google image on website: http://www.sandboxie.com/
![Page 5: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/5.jpg)
5
• It is not enough !• Example: Mutually distrusting content
![Page 6: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/6.jpg)
6
• Each application handle content protection has drawbacks
![Page 7: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/7.jpg)
7
Content isolation from application is not good!• Security of a users' cloud data is duplicated and entrusted to all of
the user's applications
• Security logic in application is often mixed with error prone content processing logic
![Page 8: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/8.jpg)
8
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 9: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/9.jpg)
9
Contribution:Contribution:
Flexible isolation
Compatibility with browser's isolation policy
Advocate a content-based principal model in which the OS treats content owners as its principals and isolate content of different owners from one another
Generalize the content-based principal model from web browsers to all applications
Easy adaptation of traditional application
![Page 10: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/10.jpg)
10
• No sharing across principals or isolation containers
![Page 11: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/11.jpg)
11
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 12: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/12.jpg)
12
![Page 13: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/13.jpg)
13
Principal labeling:
Separate content owning
Trust list mechanism
![Page 14: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/14.jpg)
14
http://blog.com/alice/index.html
Trust:list=http://blog.com/alice/*
http://youtube.com
http://blog.com/
![Page 15: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/15.jpg)
15
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 16: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/16.jpg)
16
Same principal fetching: Check with IsSamePrincipal algorithm• Owner public key• Trust list
Cross-principal fetching: Data communication; spawning a new principal
![Page 17: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/17.jpg)
17
Bit live in the response.
Bit live in the request.
![Page 18: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/18.jpg)
18
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 19: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/19.jpg)
19
![Page 20: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/20.jpg)
20
Warping operation: Wininet library of HTTP communication, which remaps its HTTP calls to invoke Service OS fetch call
Application have plug-in interface: Write add-in code to achieve CreatePI() and Embed() functions
Application does not provide plug-in interfaces: Modified the UI code to make room for embedded content
Adaptation onto ServiceOS is feasible.
![Page 21: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/21.jpg)
21
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 22: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/22.jpg)
22
Content processing errors are widespread.
ServiceOS does not rely on large applications to enforce remote content security.
![Page 23: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/23.jpg)
23
Test case 1: Uses a RTF Header stack overflow vulnerability to construct a malicious document
Test case 2: Malicious document that uses macros to perform the same attack
The application-based isolation would not be able to stop these two exploits, but serviceOS stopped both exploits
![Page 24: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/24.jpg)
24
Startup latencies: • Compare with the startup time of applications' native versions on
Windows.
Overheads on memory usage: • Drawbridge• Loading Excel’s add-in libraries
Performance of content fetch APIs:• Overhead increase following the size of document
![Page 25: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/25.jpg)
25
Result 1: In all tests ServiceOS adds less than 200ms to connect to the monitor and initialize
![Page 26: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/26.jpg)
26
Result1: Both applications carry a very small memory overhead
Result12: No significant penalty for opening documents from the same owner, but for different owners carry a sizable memory overhead
![Page 27: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/27.jpg)
27
Result1: ServiceOS introduces some latency for passing content to renderers
Result 2: Overhead is amortized for larger document sizes
![Page 28: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/28.jpg)
28
Introduction Design goal and contribution Defining principals Enforcing principal definitions Implementation Evaluation Conclusion and future work
![Page 29: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/29.jpg)
Generalize web browsers’ same-origin policy into an isolation policy suitable for all applications
Advocate a content-based principal model by minimizing the impact of any content including malicious content
Built a substantial prototype system and adapted to it a number of real-world applications
![Page 30: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/30.jpg)
![Page 31: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/31.jpg)
It need to modify or add plug-in code for each applications
how to partition the system into other meaningful pieces and how to set permissions for each piece
If we take a contemporary OS, simple bug in any of the kernel components allows to bypass of the isolation mechanisms
![Page 32: M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.](https://reader036.fdocuments.us/reader036/viewer/2022062314/5697bf751a28abf838c800d7/html5/thumbnails/32.jpg)
32