User-Level Sandboxing with FUSE

1
User-Level Sandboxing with FUSE
University of Notre DameCSE 60641

• Brandon RichAndrew Blaich

2
Problem

• Protect the file system from abuse.
• Guiding Principles
• Transparency
• Isolation
• User input

3
Solution

• System Call Interposition
• Intercept
• Analyze
• Re-route and log activity
• Return
• Post-execution commit
• Using log and execution cache

4
Components

• FUSE
• Syscall interposition (free)
• Logger
• Sandbox
• Whole-file copy
• Virtual File List
• Commit process
• Uses log and .sandbox files

5
3 Cases 1) Writing a new file2) Writing an
existing file3) Reading
System-Call
USER-Space
log call in log.log
OpenReadWriteClose
FUSE
Kernel
/tmp file1.txt file1.txt.sandbox file2.doc
6
Virtual File List
7
Sandboxing Writes
8
Sandboxing Writes
9
Sandboxing Deletes

• No deletes ever take place
• VFL entry can be designated deleted
• Version numbers keep track of future generations
  of a file

10
Hiding Sandbox Files
11
Logging
12
Committer
13
Performance Evaluation

• Tests
• Andrew Benchmark
• Chirp Benchmark
• Custom Benchmarks
• Three Environments
• Unmodified ext3 file system
• Clean FUSE
• Sandboxing FUSE

14
Andrew Benchmark
(Compile Phase 5 Am-utils)
15
Chirp Benchmark
16
Overhead of Logging vs Sandboxing
Chirp Benchmark
17
Custom Benchmark
18
Conclusions

• System call interposition at the user level is
  expensive
• Disk-based caching is simple but robust
• Our approach is effective but could be improved

19
Questions?