CFP last date
20 January 2025
Call for Paper
February Edition
IJCA solicits high quality original research papers for the upcoming February edition of the journal. The last date of research paper submission is 20 January 2025

Submit your paper
Know more
Reseach Article

Sandboxing in Linux: From Smartphone to Cloud

by Imamjafar Borate, R. K. Chavan
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 148 - Number 8
Year of Publication: 2016
Authors: Imamjafar Borate, R. K. Chavan
10.5120/ijca2016911256

Imamjafar Borate, R. K. Chavan . Sandboxing in Linux: From Smartphone to Cloud. International Journal of Computer Applications. 148, 8 ( Aug 2016), 1-8. DOI=10.5120/ijca2016911256

@article{ 10.5120/ijca2016911256,
author = { Imamjafar Borate, R. K. Chavan },
title = { Sandboxing in Linux: From Smartphone to Cloud },
journal = { International Journal of Computer Applications },
issue_date = { Aug 2016 },
volume = { 148 },
number = { 8 },
month = { Aug },
year = { 2016 },
issn = { 0975-8887 },
pages = { 1-8 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume148/number8/25774-2016911256/ },
doi = { 10.5120/ijca2016911256 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T23:52:46.495448+05:30
%A Imamjafar Borate
%A R. K. Chavan
%T Sandboxing in Linux: From Smartphone to Cloud
%J International Journal of Computer Applications
%@ 0975-8887
%V 148
%N 8
%P 1-8
%D 2016
%I Foundation of Computer Science (FCS), NY, USA
Abstract

In today’s internet world, Malicious and malfunctioning contents from the internet are regular problems for host systems such as Smartphones, Desktops, Clouds etc. Almost all underlying operating systems provide security from most of the threats. However, we need to add some extra defense to our system. Sandboxing is an important security technique that lets programs run in its isolated environment. A sandbox is a tightly controlled environment where programs run. It provides access to a tightly controlled set of resources for programs, such as memory, scratch space on the disk, network access, and input devices. A program running in the sandbox has just as many permissions as it needs without having additional permissions that could be misused. Sandbox restricts a program to access resources outside the sandbox. Sandbox prevents malicious or malfunctioning programs from accessing rest of the system. Nowadays, most of the mobile operating systems, desktop applications like web browsers, browser plugins, document viewers and cloud computing systems are using sandboxing mechanism to run applications. For the implementation of the sandboxing mechanism, software vendors rely on underlying operating system security features. There are different ways and approaches that can be used to implement sandbox mechanisms. This paper highlights the Linux security features such as Chroot, Cgroups, Capabilities, SCI, Namespaces, Seccomp, Resource Limit, LSMs such as SELinux, Virtualization and grsecurity that can be used in the implementation of the sandboxing mechanism.

References
  1. Chromium developers guide. https://www.chromium. org/developers/design-documents/sandbox.
  2. How linux capability works in 2.6.25. In SEED Document.
  3. Rootkits- symantec security response.
  4. Linux programmers manual. http://man7.org/linux/ man-pages/man2/setrlimit.2.html, 2014.
  5. Linux programmers manual. http://man7.org/linux/ man-pages/man5/systemd.cgroup.5.html, 2014.
  6. Linux programmers manual. http://man7.org/linux/ man-pages/man7/capabilities.7.html, 2014.
  7. Linux programmers manual. http://man7.org/linux/ man-pages/man7/namespaces.7.html, 2014.
  8. Yama lsm. https://www.kernel.org/doc/ Documentation/security/Yama.txt, 2014.
  9. Jason Ansel, Petr Marchenko, U´ lfar Erlingsson, Elijah Taylor, Brad Chen, Derek L Schuff, David Sehr, Cliff L Biffle, and Bennet Yee. Language-independent sandboxing of justin- time compilation and self-modifying code. ACM SIGPLAN Notices, 46(6):355–366, 2011.
  10. Irfan Asrar. Attack surface analysis of the tizen os.
  11. Enrico Bacis, Simone Mutti, and Stefano Paraboschi. Apppolicymodules: Mandatory access control for third-party apps. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pages 309– 320. ACM, 2015.
  12. Mick Bauer. Paranoid penguin: an introduction to novell apparmor. Linux Journal, 2006(148):13, 2006.
  13. Leyla Bilge and Tudor Dumitras. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 833–844. ACM, 2012.
  14. Douglas R Dechow. A brief history of java and java security.
  15. Wenliang Kevin Du. Security education. 2009.
  16. Rajdeep Dua, A Reddy Raja, and Dharmesh Kakadia. Virtualization vs containerization to support paas. In Cloud Engineering (IC2E), 2014 IEEE International Conference on, pages 610–614. IEEE, 2014.
  17. Olga Gadyatskaya, Fabio Massacci, and Yury Zhauniarovich. Emerging mobile platforms: Firefox os and tizen.
  18. Tal Garfinkel, Ben Pfaff, Mendel Rosenblum, et al. Ostia: A delegating architecture for secure system call interposition. In NDSS, 2004.
  19. Nils Gruschka and Meiko Jensen. Attack surfaces: A taxonomy for attacks on cloud services. In 2010 IEEE 3rd international conference on cloud computing, pages 276–279. IEEE, 2010.
  20. Tao Guo, Puhan Zhang, Hongliang Liang, and Shuai Shao. Enforcing multiple security policies for android system. In 2nd International Symposium on Computer, Communication, Control and Automation. Atlantis Press, 2013.
  21. Olsson Hall. Selinux and grsecurity: A case study comparing linux security kernel enhancements.
  22. Mohammad Shouaib Hashemi et al. Security issues of the sandbox inside java virtual machine (jvm). 2010.
  23. Purui Su Jun Jiang, Meining Nie and Dengguo Feng. Vccbox: Practical con nement of untrusted software in virtual cloud computing. Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing.
  24. Jarle Kittilsen. Detecting malicious pdf documents. 2011.
  25. Kirill Kolyshkin. Virtualization in linux. White paper, OpenVZ, 3:39, 2006.
  26. Flavio Lombardi and Roberto Di Pietro. Secure virtualization for cloud computing. Journal of Network and Computer Applications, 34(4):1113–1122, 2011.
  27. Shengmei Luo, Zhaoji Lin, Xiaohua Chen, Zhuolin Yang, and Jianyong Chen. Virtualization security for cloud computing service. In Cloud and Service Computing (CSC), 2011 International Conference on, pages 174–179. IEEE, 2011.
  28. Shinsuke Miwa, Toshiyuki Miyachi, Masashi Eto, Masashi Yoshizumi, and Yoichi Shinoda. Design and implementation of an isolated sandbox with mimetic internet used to analyze malwares. In DETER, 2007.
  29. Tiwari Mohini, Srivastava Ashish Kumar, and Gupta Nitesh. Review on android and smartphone security. Research Journal of Computer and Information Technology Sciences,[ online], 1(6):12–19, 2013.
  30. Jeroen Ooms. The rapparmor package: Enforcing security policies in r using dynamic sandboxing on linux. arXiv preprint arXiv:1303.4808, 2013.
  31. Oracle. Linux containers (lxc),consolidate with oracle linux containers.
  32. Leena Patel and Divya Sharma. Cyber triangle. International Journal For Technological Research In Engineering, 1:799– 807, 2014.
  33. Martin Prpi Rdiger Landmann Peter Ondrejka, Douglas Silas. Red hat enterprise linux 7 resource management and linux containers guide. Redhat, 2014.
  34. David S Peterson, Matt Bishop, and Raju Pandey. A flexible containment mechanism for executing untrusted code. In Usenix Security Symposium, pages 207–225, 2002.
  35. Phu H Phung and Lieven Desmet. A two-tier sandbox architecture for untrusted javascript. In Proceedings of the Workshop on JavaScript Tools, pages 1–10. ACM, 2012.
  36. Marc E Fiuczynski Herbert Potzl. Linux-vserver: Resource efficient os-level virtualization. In Proceedings of the Linux Symposium, volume 2, pages 151–160, 2007.
  37. Niels Provos. Improving host security with system call policies. In Usenix Security, volume 3, page 19, 2003.
  38. Markus Quaritsch and Thomas Winkler. Linux security modules enhancements: Module stacking framework and tcp state transition hooks for state-driven nids. Secure Information and Communication, 7, 2004.
  39. Charles Reis and Steven D Gribble. Isolating web programs in modern browser architectures. In Proceedings of the 4th ACM European conference on Computer systems, pages 219–232. ACM, 2009.
  40. DON REVELLE. Hypervisors and virtual machines.
  41. Rami Rosen. Linux containers and the future cloud. Linux J, 240, 2014.
  42. Farzad Sabahi. Secure virtualization for cloud environment using hypervisor-based technology. International Journal of Machine Learning and Computing, 2(1):39, 2012.
  43. Paul Sabanal and Mark Vincent Yason. Digging deep into the flash sandboxes.
  44. Casey Schaufler. Smack in embedded computing. In Proc. Ottawa Linux Symposium, 2008.
  45. Steffen Schreiner. The Impact of Linux Superuser Privileges on System and Data Security within a Cloud Computing Storage Architecture. 2009.
  46. Z Cliffe Schreuders, Tanya McGill, and Christian Payne. The state of the art of application restrictions and sandboxes: A survey of application-oriented access controls and their shortfalls. Computers & Security, 32:219–241, 2013.
  47. Z Cliffe Schreuders, Tanya Jane McGill, and Christian Payne. Towards usable application-oriented access controls: qualitative results from a usability study of selinux, apparmor and fbac-lsm. International Journal of Information Security and Privacy, 6(1):57–76, 2012.
  48. Himanshu Shukla, Vivek Singh, Young-Ho Choi, JaeOok Kwon, and Cheul-hee Hahm. Enhance os security by restricting privileges of vulnerable application. In Consumer Electronics (GCCE), 2013 IEEE 2nd Global Conference on, pages 207–211. IEEE, 2013.
  49. Stephen Smalley, Chris Vance, and Wayne Salamon. Implementing selinux as a linux security module. NAI Labs Report, 1(43):139, 2001.
  50. Stephen Soltesz, Herbert P¨otzl, Marc E Fiuczynski, Andy Bavier, and Larry Peterson. Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. In ACM SIGOPS Operating Systems Review, volume 41, pages 275–287. ACM, 2007.
  51. Bradley Spengler. Increasing performance and granularity in role-based access control systems, 2005.
  52. Michael Treaster, Gregory A Koenig, Xin Meng, andWilliam Yurcik. Detection of privilege escalation for linux cluster security. In 6th LCI International Conference on Linux Clusters, 2005.
  53. James Turnbull. The Docker Book. Lulu. com, 2014.
  54. Jeroen van Kessel, Arie Taal, and Paola Grosso. Power efficiency of hypervisor-based virtualization versus containerbased virtualization. 2016.
  55. Dave Wichers. Owasp top-10 2013. OWASP Foundation, February, 2013.
  56. Chris Wright, Crispin Cowan, James Morris, Stephen Smalley, and Greg Kroah-Hartman. Linux security module framework. In Ottawa Linux Symposium, volume 8032, pages 6–16, 2002.
  57. Kenji Yamamoto and Toshihiro Yamauchi. Evaluation of performance of secure os using performance evaluation mechanism of lsm-based lsmpmon. In Security Technology, Disaster Recovery and Business Continuity, pages 57–67. Springer, 2010.
  58. Kazi Zunnurhain and Susan V Vrbsky. Security attacks and solutions in clouds. In Proceedings of the 1st international conference on cloud computing, pages 145–156. Citeseer, 2010.
Index Terms

Computer Science
Information Sciences

Keywords

Chroot Namespace Cgroups Seccomp Capabilities