Playing in the Digital Sandbox: Balancing System Trust
On a daily basis, most people using desktop operating systems consume resources and ‘rich content’ from unknown sources on the Internet, typically via technologies ‘under the hood’ of our Web browsers. These include Java, browser plugins like Adobe Flash, PDF readers, HTML5 and others. All are meant to create a rich and seamless user experience. Consider some scenarios that a user might expect to experience while browsing the Web.
When a browser plugin wants to create or access a file, wouldn’t it be great if it could do it automatically without user interaction? If a Java applet could open during a general browsing session and change OS settings to help fix a user’s problem automatically, wouldn’t that be a positive thing? If a PDF file could simultaneously execute code that corresponds to the content of the file, wouldn’t that be handy and increase user productivity?
On the surface, each scenario sounds like a great idea. Allowing these technologies to have unrestricted access to a computer’s resources seems like common sense, but these things all assume that you trust the source of the content and the content itself. Do you trust the PDF file you are opening? Are you sure the Java applet that opened didn’t come from malicious advertisement on your favorite news website?
Malicious usage of these technologies happens every day. Coupled with social engineering and compromised websites (often advertising), malicious code is distributed to its target. Technology companies behind the tools we use every day have reacted to the threats. Instead of unrestricted access to system resources they have taken the completely opposite approach.
Sandboxing is one approach, which demonstrates how the concept of system resource trust has changed. PDF readers sandbox content so that code executed within a file is seriously restricted to what it can do. Java applets, besides code-signing, also sandbox code execution to limit the potential damage that a malicious applet can inflict. Malicious payloads in PDF files and Java applets have barriers so that they cannot simply reach out and touch their target in your PC.
So, is the problem solved? A quick scan of security conference proceedings will show how researchers have been able to bypass the sandbox security features of Java, browser plugins and PDF readers. The browsers themselves have shown a lack of trust for Java and browser plugins, and now contain sandboxing technology at the browser. These browser sandboxes have also been compromised. Security contests such as Pwnium and Pwn2Own demonstrate flaws in browser sandbox security.
There are reasons for this. The underlying desktop OS was engineered before security became a focus. Seamless user experiences and open, trusting resource allocations were a trademark of desktop operating systems. Process memory hooking — now widely known as a key for viruses such as Zeus — was originally engineered into desktop operating systems to enable richer, more seamless user experiences. Even though applications running in desktop memory processes have sandboxing technologies, the underlying operating system has many flaws that enable malicious code to bypass the application sandbox.
The bad guys have a technology pipeline that is much like a legitimate software company. There are entire crops of ‘zero-day’ attacks against all Web browsing technologies that are just waiting to execute their goal: bypass the security mechanisms of your browsing tools and execute malicious code your PC.