The RAppArmor Package: Enforcing Security Policies in R Using Dynamic Sandboxing on Linux

The increasing availability of cloud computing and scientific super computers brings great potential for making R accessible through public or shared resources. This allows us to efficiently run code requiring lots of cycles and memory, or embed R functionality into, e.g., systems and web services. However some important security concerns need to be addressed before this can be put in production. The prime use case in the design of R has always been a single statistician running R on the local machine through the interactive console. Therefore the execution environment of R is entirely unrestricted, which could result in malicious behavior or excessive use of hardware resources in a shared environment. Properly securing an R process turns out to be a complex problem. We describe various approaches and illustrate potential issues using some of our personal experiences in hosting public web services. Finally we introduce the RAppArmor package: a Linux based reference implementation for dynamic sandboxing in R on the level of the operating system

Graphical Security Sandbox For Linux Systems

It has become extremely difficult to distinguish a benign application from a malicious one as the number of untrusted applications on the Internet increases rapidly every year. In this project, we develop a lightweight application confinement mechanism for Linux systems in order to aid most users to increase their confidence in various applications that they stumble upon and use on a daily basis. Developed sandboxing facility monitors a targeted application’s activity and imposes restrictions on its access to operating system resources during its execution. Using a simple but expressive policy language, users are able to create security policies. During the course of the traced application’s execution, sandboxing facility makes execution decisions according to the security policy specified and terminates the traced application if necessary. In the case of an activity that is not covered by the policy, the facility asks for user input through an user interface with a simple human readable format of the activity and uses that user input to make execution decisions and to improve the security policy. Our ultimate goal is to create a facility such that even casual users with minimal technical knowledge can use the tool without getting overwhelmed by it. We base our tool on system call interposition which has been a popular research area over the past fifteen years. Developed sandboxing facility offers an user-friendly, easy to use user-interface. It monitors the given application and detects activities that might possibly be system intrusions. Moreover, the tool offers logging and auditing mechanisms for post-execution analysis. We present our evaluation of the tool in terms of performance and overhead it generates when confining applications. We conclude that developed system is successful in detecting abnormal application activity according to specified security policies. It has been obtained that the tool adds a significant overhead to the target applications. However, this overhead does not pose usability issues as our target domain is personal use cases with small applications

Graphical Security Sandbox For Linux Systems

It has become extremely difficult to distinguish a benign application from a malicious one as the number of untrusted applications on the Internet increases rapidly every year. In this project, we develop a lightweight application confinement mechanism for Linux systems in order to aid most users to increase their confidence in various applications that they stumble upon and use on a daily basis. Developed sandboxing facility monitors a targeted application’s activity and imposes restrictions on its access to operating system resources during its execution. Using a simple but expressive policy language, users are able to create security policies. During the course of the traced application’s execution, sandboxing facility makes execution decisions according to the security policy specified and terminates the traced application if necessary. In the case of an activity that is not covered by the policy, the facility asks for user input through an user interface with a simple human readable format of the activity and uses that user input to make execution decisions and to improve the security policy. Our ultimate goal is to create a facility such that even casual users with minimal technical knowledge can use the tool without getting overwhelmed by it. We base our tool on system call interposition which has been a popular research area over the past fifteen years. Developed sandboxing facility offers an user-friendly, easy to use user-interface. It monitors the given application and detects activities that might possibly be system intrusions. Moreover, the tool offers logging and auditing mechanisms for post-execution analysis. We present our evaluation of the tool in terms of performance and overhead it generates when confining applications. We conclude that developed system is successful in detecting abnormal application activity according to specified security policies. It has been obtained that the tool adds a significant overhead to the target applications. However, this overhead does not pose usability issues as our target domain is personal use cases with small applications

Online advertising: analysis of privacy threats and protection approaches

Online advertising, the pillar of the “free” content on the Web, has revolutionized the marketing business in recent years by creating a myriad of new opportunities for advertisers to reach potential customers. The current advertising model builds upon an intricate infrastructure composed of a variety of intermediary entities and technologies whose main aim is to deliver personalized ads. For this purpose, a wealth of user data is collected, aggregated, processed and traded behind the scenes at an unprecedented rate. Despite the enormous value of online advertising, however, the intrusiveness and ubiquity of these practices prompt serious privacy concerns. This article surveys the online advertising infrastructure and its supporting technologies, and presents a thorough overview of the underlying privacy risks and the solutions that may mitigate them. We first analyze the threats and potential privacy attackers in this scenario of online advertising. In particular, we examine the main components of the advertising infrastructure in terms of tracking capabilities, data collection, aggregation level and privacy risk, and overview the tracking and data-sharing technologies employed by these components. Then, we conduct a comprehensive survey of the most relevant privacy mechanisms, and classify and compare them on the basis of their privacy guarantees and impact on the Web.Peer ReviewedPostprint (author's final draft

Retrofitting privacy controls to stock Android

Android ist nicht nur das beliebteste Betriebssystem für mobile Endgeräte, sondern auch ein ein attraktives Ziel für Angreifer. Um diesen zu begegnen, nutzt Androids Sicherheitskonzept App-Isolation und Zugangskontrolle zu kritischen Systemressourcen. Nutzer haben dabei aber nur wenige Optionen, App-Berechtigungen gemäß ihrer Bedürfnisse einzuschränken, sondern die Entwickler entscheiden über zu gewährende Berechtigungen. Androids Sicherheitsmodell kann zudem nicht durch Dritte angepasst werden, so dass Nutzer zum Schutz ihrer Privatsphäre auf die Gerätehersteller angewiesen sind. Diese Dissertation präsentiert einen Ansatz, Android mit umfassenden Privatsphäreeinstellungen nachzurüsten. Dabei geht es konkret um Techniken, die ohne Modifikationen des Betriebssystems oder Zugriff auf Root-Rechte auf regulären Android-Geräten eingesetzt werden können. Der erste Teil dieser Arbeit etabliert Techniken zur Durchsetzung von Sicherheitsrichtlinien für Apps mithilfe von inlined reference monitors. Dieser Ansatz wird durch eine neue Technik für dynamic method hook injection in Androids Java VM erweitert. Schließlich wird ein System eingeführt, das prozessbasierte privilege separation nutzt, um eine virtualisierte App-Umgebung zu schaffen, um auch komplexe Sicherheitsrichtlinien durchzusetzen. Eine systematische Evaluation unseres Ansatzes konnte seine praktische Anwendbarkeit nachweisen und mehr als eine Million Downloads unserer Lösung zeigen den Bedarf an praxisgerechten Werkzeugen zum Schutz der Privatsphäre.Android is the most popular operating system for mobile devices, making it a prime target for attackers. To counter these, Android’s security concept uses app isolation and access control to critical system resources. However, Android gives users only limited options to restrict app permissions according to their privacy preferences but instead lets developers dictate the permissions users must grant. Moreover, Android’s security model is not designed to be customizable by third-party developers, forcing users to rely on device manufacturers to address their privacy concerns. This thesis presents a line of work that retrofits comprehensive privacy controls to the Android OS to put the user back in charge of their device. It focuses on developing techniques that can be deployed to stock Android devices without firmware modifications or root privileges. The first part of this dissertation establishes fundamental policy enforcement on thirdparty apps using inlined reference monitors to enhance Android’s permission system. This approach is then refined by introducing a novel technique for dynamic method hook injection on Android’s Java VM. Finally, we present a system that leverages process-based privilege separation to provide a virtualized application environment that supports the enforcement of complex security policies. A systematic evaluation of our approach demonstrates its practical applicability, and over one million downloads of our solution confirm user demand for privacy-enhancing tools

Windows security sandbox framework

Software systems are vulnerable to attack in many different ways. Systems can be poorly implemented which could allow an attacker access to the system through legitimate means such as anonymous access to a server or security controls and access lists can be configured incorrectly which would allow an attacker access to the system by exploiting a logic flaw in the systems configuration. These security vulnerabilities can be limited by implementing software systems properly or in a more restrictive manner. Sandboxing an application allows for interception of a processes system call for verification against a defined policy. A system call can be allowed or denied based on the function being called or can have parameters analyzed and verified against a defined policy. This paper presents a sandboxing framework for Microsoft Windows operating systems. The framework is written entirely in python and uses a modular design which allows for small and simple policies. Profiles can exist for processes which automatically load user policies for a sandbox process --Document

VXA: A Virtual Architecture for Durable Compressed Archives

Data compression algorithms change frequently, and obsolete decoders do not always run on new hardware and operating systems, threatening the long-term usability of content archived using those algorithms. Re-encoding content into new formats is cumbersome, and highly undesirable when lossy compression is involved. Processor architectures, in contrast, have remained comparatively stable over recent decades. VXA, an archival storage system designed around this observation, archives executable decoders along with the encoded content it stores. VXA decoders run in a specialized virtual machine that implements an OS-independent execution environment based on the standard x86 architecture. The VXA virtual machine strictly limits access to host system services, making decoders safe to run even if an archive contains malicious code. VXA's adoption of a "native" processor architecture instead of type-safe language technology allows reuse of existing "hand-optimized" decoders in C and assembly language, and permits decoders access to performance-enhancing architecture features such as vector processing instructions. The performance cost of VXA's virtualization is typically less than 15% compared with the same decoders running natively. The storage cost of archived decoders, typically 30-130KB each, can be amortized across many archived files sharing the same compression method.Comment: 14 pages, 7 figures, 2 table