This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 30 1 Isolation The topic for today is isolation . A program is isolated if it cannot affect other programs on the system. Thus, isolation refers to an inability to causally influence other programs on the system. Isolation is related to some topics we have seen before, such as access control. One difference is that access control is a mechanism for enforcing some security policy (a means to an end), whereas isolation is a security goal (the end itself). Isolation is also related to previous lectures on virtual memory and memory protection. The difference is that virtual memory seeks to provide only memory isolation between processes (each process receives a disjoint address spaces and cannot affect other processes through memory reads and writes). Memory protection does not prevent other kinds of influence, such as opening an IPC connection from one process to another. When we want to isolate a process, we want to isolate against all influences, so memory protection alone is not enough. What are the applications of isolation? Here are a few. • I run across a cool piece of software that will draw dancing pigs on the screen, and I want to download it and try it, but I don’t know whether I can trust the developer. It would be great to be able to run it in an isolated environment, where it cannot harm the rest of my machine even if it contains malicious code or bugs. This is often known as the sandboxing problem. We want to give the downloaded software its own little sandbox where it can do whatever it wants, as long as it doesn’t escape the sandbox. If it tries to do anything disruptive, the effect will be limited to its sandbox, so the worst that can happen is it will disrupt itself. • I want to display a MS Word file that someone emailed me, but I don’t want it to be able to infect my machine with a macro virus. It would be great if I could run an sandboxed instance of MS Word to view just this document, with no fear that it will trash my other Word documents. • I’m designing a complicated software application. Following the principle of least privilege, I want to decompose the application into multiple pieces. Each piece should be isolated from the others, so that if one piece is penetrated, the integrity of the others will be preserved. Soon I will start to show you a number of different ways to try to enforce a policy of isolation, but first let’s explore the software decomposition issue a bit more to understand some of the requirements. 2 Decomposing Software for Security I’ve talked before about the relevance of modularity to application security, but let me now show you how to select a decomposition of your system into modules that will be helpful for security....
View Full Document
- Fall '05
- Computer Security