Secure Extensibility for System State Extraction via Plugin Sandboxing
This addresses security risks for systems administrators and developers using extensible data collection tools, offering a practical solution to prevent plugin-based attacks, though it is incremental by building on existing kernel features.
The paper tackles the problem of securely extending system data collection software with untrusted third-party plugins by introducing a sandboxing mechanism that isolates plugins from the monitored endpoint, successfully tested on containerized systems and shown to contain exploits that would otherwise impact the guest.
We introduce a new mechanism to securely extend systems data collection software with potentially untrusted third-party code. Unlike existing tools which run extension modules or plugins directly inside the monitored endpoint (the guest), we run plugins inside a specially crafted sandbox, so as to protect the guest as well as the software core. To get the right mix of accessibility and constraints required for systems data extraction, we create our sandbox by combining multiple features exported by an unmodified kernel. We have tested its applicability by successfully sandboxing plugins of an opensourced data collection software for containerized guest systems. We have also verified its security posture in terms of successful containment of several exploits, which would have otherwise directly impacted a guest, if shipped inside third-party plugins.