Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

Jingci Zhang; Jun Zheng; Zheng Zhang; Tian Chen; Kefan Qiu; Quanxin Zhang; Yuanzhang Li

doi:10.1007/978-3-031-16815-4_7

Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

Jingci Zhang^*, Jun Zheng, Zheng Zhang, Tian Chen, Kefan Qiu, Quanxin Zhang, Yuanzhang Li

^*Corresponding author for this work

Beijing Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Citations (Scopus)

Abstract

With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.

Original language	English
Title of host publication	Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings
Editors	Jianying Zhou, Sudipta Chattopadhyay, Sridhar Adepu, Cristina Alcaraz, Lejla Batina, Emiliano Casalicchio, Chenglu Jin, Jingqiang Lin, Eleonora Losiouk, Suryadipta Majumdar, Weizhi Meng, Stjepan Picek, Yury Zhauniarovich, Jun Shao, Chunhua Su, Cong Wang, Saman Zonouz
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	104-123
Number of pages	20
ISBN (Print)	9783031168147
DOIs	https://doi.org/10.1007/978-3-031-16815-4_7
Publication status	Published - 2022
Event	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 - Virtual, Online Duration: 20 Jun 2022 → 23 Jun 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13285 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022
City	Virtual, Online
Period	20/06/22 → 23/06/22

Keywords

Access control model
Device application sandboxing
Isolation mechanism
Zero trust architecture

Access to Document

10.1007/978-3-031-16815-4_7

Cite this

Zhang, J., Zheng, J., Zhang, Z., Chen, T., Qiu, K., Zhang, Q., & Li, Y. (2022). Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. In J. Zhou, S. Chattopadhyay, S. Adepu, C. Alcaraz, L. Batina, E. Casalicchio, C. Jin, J. Lin, E. Losiouk, S. Majumdar, W. Meng, S. Picek, Y. Zhauniarovich, J. Shao, C. Su, C. Wang, & S. Zonouz (Eds.), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings (pp. 104-123). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13285 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-16815-4_7

Zhang, Jingci ; Zheng, Jun ; Zhang, Zheng et al. / Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. editor / Jianying Zhou ; Sudipta Chattopadhyay ; Sridhar Adepu ; Cristina Alcaraz ; Lejla Batina ; Emiliano Casalicchio ; Chenglu Jin ; Jingqiang Lin ; Eleonora Losiouk ; Suryadipta Majumdar ; Weizhi Meng ; Stjepan Picek ; Yury Zhauniarovich ; Jun Shao ; Chunhua Su ; Cong Wang ; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. pp. 104-123 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{1476a8ec2bea4a75b82c01dce4878d50,

title = "Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture",

abstract = "With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.",

keywords = "Access control model, Device application sandboxing, Isolation mechanism, Zero trust architecture",

author = "Jingci Zhang and Jun Zheng and Zheng Zhang and Tian Chen and Kefan Qiu and Quanxin Zhang and Yuanzhang Li",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 ; Conference date: 20-06-2022 Through 23-06-2022",

year = "2022",

doi = "10.1007/978-3-031-16815-4_7",

language = "English",

isbn = "9783031168147",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "104--123",

editor = "Jianying Zhou and Sudipta Chattopadhyay and Sridhar Adepu and Cristina Alcaraz and Lejla Batina and Emiliano Casalicchio and Chenglu Jin and Jingqiang Lin and Eleonora Losiouk and Suryadipta Majumdar and Weizhi Meng and Stjepan Picek and Yury Zhauniarovich and Jun Shao and Chunhua Su and Cong Wang and Saman Zonouz",

booktitle = "Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings",

address = "Germany",

}

Zhang, J, Zheng, J, Zhang, Z, Chen, T, Qiu, K, Zhang, Q & Li, Y 2022, Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. in J Zhou, S Chattopadhyay, S Adepu, C Alcaraz, L Batina, E Casalicchio, C Jin, J Lin, E Losiouk, S Majumdar, W Meng, S Picek, Y Zhauniarovich, J Shao, C Su, C Wang & S Zonouz (eds), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13285 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 104-123, Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022, Virtual, Online, 20/06/22. https://doi.org/10.1007/978-3-031-16815-4_7

Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. / Zhang, Jingci; Zheng, Jun; Zhang, Zheng et al.
Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. ed. / Jianying Zhou; Sudipta Chattopadhyay; Sridhar Adepu; Cristina Alcaraz; Lejla Batina; Emiliano Casalicchio; Chenglu Jin; Jingqiang Lin; Eleonora Losiouk; Suryadipta Majumdar; Weizhi Meng; Stjepan Picek; Yury Zhauniarovich; Jun Shao; Chunhua Su; Cong Wang; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. p. 104-123 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13285 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

AU - Zhang, Jingci

AU - Zheng, Jun

AU - Zhang, Zheng

AU - Chen, Tian

AU - Qiu, Kefan

AU - Zhang, Quanxin

AU - Li, Yuanzhang

PY - 2022

Y1 - 2022

N2 - With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.

AB - With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.

KW - Access control model

KW - Device application sandboxing

KW - Isolation mechanism

KW - Zero trust architecture

UR - http://www.scopus.com/inward/record.url?scp=85140489639&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-16815-4_7

DO - 10.1007/978-3-031-16815-4_7

M3 - Conference contribution

AN - SCOPUS:85140489639

SN - 9783031168147

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 104

EP - 123

BT - Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings

A2 - Zhou, Jianying

A2 - Chattopadhyay, Sudipta

A2 - Adepu, Sridhar

A2 - Alcaraz, Cristina

A2 - Batina, Lejla

A2 - Casalicchio, Emiliano

A2 - Jin, Chenglu

A2 - Lin, Jingqiang

A2 - Losiouk, Eleonora

A2 - Majumdar, Suryadipta

A2 - Meng, Weizhi

A2 - Picek, Stjepan

A2 - Zhauniarovich, Yury

A2 - Shao, Jun

A2 - Su, Chunhua

A2 - Wang, Cong

A2 - Zonouz, Saman

PB - Springer Science and Business Media Deutschland GmbH

T2 - Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022

Y2 - 20 June 2022 through 23 June 2022

ER -

Zhang J, Zheng J, Zhang Z, Chen T, Qiu K, Zhang Q et al. Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. In Zhou J, Chattopadhyay S, Adepu S, Alcaraz C, Batina L, Casalicchio E, Jin C, Lin J, Losiouk E, Majumdar S, Meng W, Picek S, Zhauniarovich Y, Shao J, Su C, Wang C, Zonouz S, editors, Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 104-123. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-16815-4_7