Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

Jingci Zhang; Jun Zheng; Zheng Zhang; Tian Chen; Kefan Qiu; Quanxin Zhang; Yuanzhang Li

doi:10.1007/978-3-031-16815-4_7

Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

Jingci Zhang^*, Jun Zheng, Zheng Zhang, Tian Chen, Kefan Qiu, Quanxin Zhang, Yuanzhang Li

^*此作品的通讯作者

Beijing Institute of Technology

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

2 引用（Scopus）

摘要

With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.

源语言	英语
主期刊名	Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings
编辑	Jianying Zhou, Sudipta Chattopadhyay, Sridhar Adepu, Cristina Alcaraz, Lejla Batina, Emiliano Casalicchio, Chenglu Jin, Jingqiang Lin, Eleonora Losiouk, Suryadipta Majumdar, Weizhi Meng, Stjepan Picek, Yury Zhauniarovich, Jun Shao, Chunhua Su, Cong Wang, Saman Zonouz
出版商	Springer Science and Business Media Deutschland GmbH
页	104-123
页数	20
ISBN（印刷版）	9783031168147
DOI	https://doi.org/10.1007/978-3-031-16815-4_7
出版状态	已出版 - 2022
活动	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 - Virtual, Online 期限: 20 6月 2022 → 23 6月 2022

出版系列

姓名	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
卷	13285 LNCS
ISSN（印刷版）	0302-9743
ISSN（电子版）	1611-3349

会议

会议	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022
市	Virtual, Online
时期	20/06/22 → 23/06/22

访问文件

10.1007/978-3-031-16815-4_7

其它文件与链接

链接到 Scopus 的出版物

引用此

Zhang, J., Zheng, J., Zhang, Z., Chen, T., Qiu, K., Zhang, Q., & Li, Y. (2022). Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. 在 J. Zhou, S. Chattopadhyay, S. Adepu, C. Alcaraz, L. Batina, E. Casalicchio, C. Jin, J. Lin, E. Losiouk, S. Majumdar, W. Meng, S. Picek, Y. Zhauniarovich, J. Shao, C. Su, C. Wang, & S. Zonouz (编辑), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings (页码 104-123). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 卷 13285 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-16815-4_7

Zhang, Jingci ; Zheng, Jun ; Zhang, Zheng 等. / Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. 编辑 / Jianying Zhou ; Sudipta Chattopadhyay ; Sridhar Adepu ; Cristina Alcaraz ; Lejla Batina ; Emiliano Casalicchio ; Chenglu Jin ; Jingqiang Lin ; Eleonora Losiouk ; Suryadipta Majumdar ; Weizhi Meng ; Stjepan Picek ; Yury Zhauniarovich ; Jun Shao ; Chunhua Su ; Cong Wang ; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. 页码 104-123 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{1476a8ec2bea4a75b82c01dce4878d50,

title = "Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture",

abstract = "With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.",

keywords = "Access control model, Device application sandboxing, Isolation mechanism, Zero trust architecture",

author = "Jingci Zhang and Jun Zheng and Zheng Zhang and Tian Chen and Kefan Qiu and Quanxin Zhang and Yuanzhang Li",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 ; Conference date: 20-06-2022 Through 23-06-2022",

year = "2022",

doi = "10.1007/978-3-031-16815-4_7",

language = "English",

isbn = "9783031168147",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "104--123",

editor = "Jianying Zhou and Sudipta Chattopadhyay and Sridhar Adepu and Cristina Alcaraz and Lejla Batina and Emiliano Casalicchio and Chenglu Jin and Jingqiang Lin and Eleonora Losiouk and Suryadipta Majumdar and Weizhi Meng and Stjepan Picek and Yury Zhauniarovich and Jun Shao and Chunhua Su and Cong Wang and Saman Zonouz",

booktitle = "Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings",

address = "Germany",

}

Zhang, J, Zheng, J, Zhang, Z, Chen, T, Qiu, K, Zhang, Q & Li, Y 2022, Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. 在 J Zhou, S Chattopadhyay, S Adepu, C Alcaraz, L Batina, E Casalicchio, C Jin, J Lin, E Losiouk, S Majumdar, W Meng, S Picek, Y Zhauniarovich, J Shao, C Su, C Wang & S Zonouz (编辑), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 卷 13285 LNCS, Springer Science and Business Media Deutschland GmbH, 页码 104-123, Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022, Virtual, Online, 20/06/22. https://doi.org/10.1007/978-3-031-16815-4_7

Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. / Zhang, Jingci; Zheng, Jun; Zhang, Zheng 等.
Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. 编辑 / Jianying Zhou; Sudipta Chattopadhyay; Sridhar Adepu; Cristina Alcaraz; Lejla Batina; Emiliano Casalicchio; Chenglu Jin; Jingqiang Lin; Eleonora Losiouk; Suryadipta Majumdar; Weizhi Meng; Stjepan Picek; Yury Zhauniarovich; Jun Shao; Chunhua Su; Cong Wang; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. 页码 104-123 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 卷 13285 LNCS).

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

TY - GEN

T1 - Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

AU - Zhang, Jingci

AU - Zheng, Jun

AU - Zhang, Zheng

AU - Chen, Tian

AU - Qiu, Kefan

AU - Zhang, Quanxin

AU - Li, Yuanzhang

PY - 2022

Y1 - 2022

N2 - With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.

AB - With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.

KW - Access control model

KW - Device application sandboxing

KW - Isolation mechanism

KW - Zero trust architecture

UR - http://www.scopus.com/inward/record.url?scp=85140489639&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-16815-4_7

DO - 10.1007/978-3-031-16815-4_7

M3 - Conference contribution

AN - SCOPUS:85140489639

SN - 9783031168147

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 104

EP - 123

BT - Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings

A2 - Zhou, Jianying

A2 - Chattopadhyay, Sudipta

A2 - Adepu, Sridhar

A2 - Alcaraz, Cristina

A2 - Batina, Lejla

A2 - Casalicchio, Emiliano

A2 - Jin, Chenglu

A2 - Lin, Jingqiang

A2 - Losiouk, Eleonora

A2 - Majumdar, Suryadipta

A2 - Meng, Weizhi

A2 - Picek, Stjepan

A2 - Zhauniarovich, Yury

A2 - Shao, Jun

A2 - Su, Chunhua

A2 - Wang, Cong

A2 - Zonouz, Saman

PB - Springer Science and Business Media Deutschland GmbH

T2 - Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022

Y2 - 20 June 2022 through 23 June 2022

ER -

Zhang J, Zheng J, Zhang Z, Chen T, Qiu K, Zhang Q 等. Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture. 在 Zhou J, Chattopadhyay S, Adepu S, Alcaraz C, Batina L, Casalicchio E, Jin C, Lin J, Losiouk E, Majumdar S, Meng W, Picek S, Zhauniarovich Y, Shao J, Su C, Wang C, Zonouz S, 编辑, Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. 页码 104-123. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-16815-4_7

Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

摘要

出版系列

会议

访问文件

其它文件与链接

指纹

引用此