Seonglae ChoIsolation Levels
- Monolithic
- Multi-process: Linux Namespace, Chromium’s process-level sandboxing architecture
- mount
- Network resource isolation
- UID/GID isolation
- Hostname isolation UTS
- PID number space isolation
- IPC objects & POSIX message queue isolation
- Site isolation: Most web page utilize this
- Origin isolation
Process-level Confinement
Process interacts with the outside world via Files, System calls, and Shared memory.
For system call
Modern sandboxes heavily restrict permitted system calls through the use of a kernel-level sandboxing mechanism (seccomp() used by Chromium Google Native Client , Docker containers)
There are some Traps and Pitfalls of System Call Interposition like eBPF. And one common pitfall is Time-of-Check to Time-of-use (TOCTTOU) caused by the non-atomicity of permission checking at the point of interposition and eventual access granting in the kernel.
- At interposition, permissions to perform an operation A are granted, which relies on some mutable shared state.
- That state changes, making the result of performing operation A illegal and operation A is performed by the OS.
Whenever we utilize file-path based feature, we should care about TOCTTOU caused by the non-atomicity check. Attackers change the filepath buffer