pith. sign in

arxiv: 1905.08192 · v1 · pith:QTV5I3P4new · submitted 2019-05-20 · 💻 cs.CR · cs.OS· cs.SE

Secure Extensibility for System State Extraction via Plugin Sandboxing

classification 💻 cs.CR cs.OScs.SE
keywords guestpluginsdatainsidesoftwaresystemscollectiondirectly
0
0 comments X
read the original abstract

We introduce a new mechanism to securely extend systems data collection software with potentially untrusted third-party code. Unlike existing tools which run extension modules or plugins directly inside the monitored endpoint (the guest), we run plugins inside a specially crafted sandbox, so as to protect the guest as well as the software core. To get the right mix of accessibility and constraints required for systems data extraction, we create our sandbox by combining multiple features exported by an unmodified kernel. We have tested its applicability by successfully sandboxing plugins of an opensourced data collection software for containerized guest systems. We have also verified its security posture in terms of successful containment of several exploits, which would have otherwise directly impacted a guest, if shipped inside third-party plugins.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.