From the course: Threat Modeling: Denial of Service and Elevation of Privilege
Unlock the full course today
Join today to access over 22,400 courses taught by industry experts or purchase this course individually.
Bolt-on or built-in defenses
From the course: Threat Modeling: Denial of Service and Elevation of Privilege
Bolt-on or built-in defenses
- [Instructor] It's hard to build a sandbox that usefully encapsulates code that's not designed to work in a sandbox. Fortunately, the engineers building Android and iOS we're able to look at the plague of malware that impacted desktops and design a very different set of sandboxes. Because there were no Android or iOS apps, they had far more flexibility than the creators of say Docker. When greenfielding or rearchitecting in a move to the cloud, it's very valuable to take strong advantage of the various available sandboxes. For example, AWS Lambda uses a mix of cgroups, namespaces, seccomp-bpf, iptables and chroot to provide you with a fairly robust sandbox with a documented shared responsibility model. And because you're rearchitecting for Lambda, you can take advantage of all of those things. In fact, you have to. Not all hope is lost if you're using a more traditional operating system. More and more functionality is…
Contents
-
-
-
-
-
-
-
-
Ways to defend against EOP1m 10s
-
Validation to defend against elevation1m 32s
-
Validate for purpose to prevent elevations1m 56s
-
Validation not sanitization for defense1m 13s
-
Attenuation in defense2m 14s
-
Memory safety as a defensive tool2m 1s
-
Stack canaries to protect your code2m 20s
-
Sandboxes and isolation protect your environment2m 8s
-
Bolt-on or built-in defenses1m 26s
-
-