Skip to main content

Security Threat Analysis: Interview With Dino A. Dai Zovi

More On Sandboxing

Alan: So things like “sandboxing” are designed to prevent unforeseen vulnerabilities from being transformed into large exploits.

Dino: Yes, as the name suggests, “sandboxing” is meant to contain the spill in the event of a compromise. Sandboxes don’t actually prevent exploits, however. They more prevent those exploits from taking other actions on the system. For example, Google’s Chrome has a very restrictive sandbox for Web rendering processes. And while this won’t prevent an exploit from executing arbitrary code, it will prevent that executing code from harming your system.

Alan: You've really been able to adapt your knowledge from PowerPC era to the Intel-Mac era. With the upcoming Snow Leopard, Apple will be implementing features such as ASLR, code signing for kernel extensions, full NX bit support, and sandboxing for many of the main applications. These are all features currently supported by Vista. How is this going to help secure the Mac? How does "sandboxing" really work when Chrome's first exploit allowed remote applications to be launched from Java, and IE8 was recently exploited at this year's CanSecWest?

Dino: I haven't looked at Snow Leopard yet due to the pre-release NDA, but I am glad to hear that they will be implementing those features.  

Alan: You know actually, as you were saying that, I just realized that I don’t think it’s actually 100% confirmed yet. It’s really just the blogsphere right now. But let’s assume that this is what Snow Leopard will add. How is that going to change things?

Dino: I hope their implementations are sound and I will definitely be buying and installing Snow Leopard on all of my systems from Day One. All of these security features hamper attacks at multiple stages. ASLR and NX make it much more difficult for an exploit to inject or re-purpose code in an application. The sandboxing limits the actions that an application can perform so that even if it does begin running attacker-supplied code, the actions that the attacker may perform will be constrained. Finally, kernel extension code signing prevents attackers from installing new software into the core of the operating system. Attackers often install rootkits into the kernel in order to conceal their attacks and maintain access to compromised systems.

There is a difference between operating system-level and browser-level sandboxing. Chrome is the only Web browser to implement browser-based sandboxing. This is a highly smart move on their part and the main reason that Chrome was not compromised at Pwn2Own this year. The limitation of Chrome's sandbox model, however, is that it cannot sandbox Web browser plugins such as Flash and Java. These plugins need full access to the system, so the sandboxing system used for Web content renderers cannot be used. The Web content rendering processes are highly limited and cannot touch the file system at all. Breaking out of the Chrome renderer process sandbox would be an impressive feat in itself.

  • cruiseoveride
    Wonder why he didnt mention SELinux
    Reply
  • mrubermonkey
    If it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.
    Reply
  • AlanDang
    Not really -- the black hats make money off the Internet -- it doesn't help them. By definition though, the risk is always about "taking down" a few IXP's or the +1 nodes.
    Reply
  • "Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve".

    They may not be core functions but everyone I know who is concerned with security on the Internet uses Firefow with the add-ins Noscript & Flashblock.
    Reply
  • vaskodogama
    mrubermonkeyIf it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.I am from Iran, All the Iranian Goverment can do, is blocking porn and politics web sites! :D
    Reply
  • pcworm
    I'm also from Iran , come one, we still connect using bloody dial up, you guys cant be serious! although due to the "no copyright" law we can buy Windows, Mathlab, VS 2008 team System,office 2007 and a lot more for less than a dollar each...:-) you dont need broadband here cause piracy is official
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • I am a Mac user as well. I also use many versions of Windows and Linux in VM. I am not a security expert or anything but why is everyone hung up on someone taking down the internet. Hackers use the net to make money or prove a point. I don't think they are going to shut the net down and hold it hostage, who would be forking over the money anyway. And if they did it to prove a point how would they ever get recognition for the task when all communication stops.
    Reply