Using Operating System Wrappers to Increase The
By: Vika • Study Guide • 5,500 Words • February 3, 2010 • 918 Views
Join now to read essay Using Operating System Wrappers to Increase The
Using Operating System Wrappers to Increase the
Resiliency of Commercial Firewalls
Jeremy Epstein Linda Thomas Eric Monteith
jepstein@webMethods.com Ithomas@webMethods.com eric-monteith@nai.com
webMethods, Inc. webMethods, Inc. NAI Labs
Abstract’
Operating system wrappers technology provides a
means for providing fine grained controls on the operation
of applications software. Application proxy firewalls can
gain from this technology by wrapping the proxies, thus
preventing bugs (or malicious software) in the proxy from
subverting the intent of the firewall. This paper describes
several experiments we performed with wrappers and
firewalls, using several different firewalls and types of
wrappers.
1 Introduction
Access controls in operating systems are usually at a
coarse level and frequently do not cover all types of
resources in the system. For example, UNIX systems
control access to files, but the only controls on sockets
limit non-root processes from binding low numbered
sockets. Operating system wrapper technologies
(henceforth “wrappers”), including those described in
[Jones], [Fraser], [Balzer], among others, allow specifying
the behavior of application processes to an arbitrary level
ofgranuIarity.2
While wrapper technology is aimed at constraining the
behavior of applications on end systems (especially
clients, and possibly also servers), it is also applicable to
security devices such as firewalls. As part of the DARPA
Information Assurance program, we have performed a
series of experiments using different types of wrappers to
constrain the behavior of several different firewall
products. This paper describes the results of those
experiments, and points to directions for future research.
The remainder of this paper is organized as follows.
Section 2 describes our motivation for developing firewall
’ The work described in this paper was performed while all three authors
were associated by NAI Labs. * The term “wrappers’ is overloaded in the security field. In this paper,
it means fimctions that intercept system calls and perform mediation.
This is different from TCP Wrappers [Vmema] which are a program
between inefd and the service provider daemons, but do not attempt to
intercept system calls.
wrappers. While this paper assumes a basic
understanding of wrapper technology, Section 3 provides
a synopsis of what wrappers are and how they work, and
describes some of the differences between the wrappers
technology developed by NAI Labs EFraser] and the
wrappers technology developed by the Information
Sciences Institute (ISI) [Balzer]. Section 4 describes how
we wrapped the Gauntlet Internet Firewall (for which we
had design information and source code available) using
the NAI Labs wrappers. Section 5 describes our
experiences in using the NAI Labs wrappers to wrap
firewalls for which we had no source code or design
information. Section 6 describes how 1 we wrapped the