Hybrid isolation model for device application sandboxing deployment in Zero Trust architecture

With recent cyber security attacks, the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea—Zero Trust was proposed. The device application sandbox deployment model is one of the four essential Zero Trust architecture device deployment models. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks, such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, we implement the security model based on the container and Linux security module, and test the network and disk performance of this model. What is more, we make security comparison experiments based on the same container escape vulnerability. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in Zero Trust architecture, and has a better performance compared with Container-SELinux.