Secure Extensibility for System State Extraction via Plugin Sandboxing
Sahil Suneja, Canturk Isci

TL;DR
This paper presents a secure sandboxing mechanism for third-party plugins in system data collection software, enhancing security and extensibility by isolating untrusted code within a kernel-based sandbox environment.
Contribution
It introduces a novel sandboxing approach combining kernel features to securely run untrusted plugins, protecting system data collection processes from malicious exploits.
Findings
Successfully sandboxed plugins in containerized environments
Verified containment of multiple exploits
Enhanced security without sacrificing extensibility
Abstract
We introduce a new mechanism to securely extend systems data collection software with potentially untrusted third-party code. Unlike existing tools which run extension modules or plugins directly inside the monitored endpoint (the guest), we run plugins inside a specially crafted sandbox, so as to protect the guest as well as the software core. To get the right mix of accessibility and constraints required for systems data extraction, we create our sandbox by combining multiple features exported by an unmodified kernel. We have tested its applicability by successfully sandboxing plugins of an opensourced data collection software for containerized guest systems. We have also verified its security posture in terms of successful containment of several exploits, which would have otherwise directly impacted a guest, if shipped inside third-party plugins.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Cloud Data Security Solutions
