Cryptography and Sandboxing

Cryptography and sandboxing are two foundational principles in creating secure software solutions. Both techniques align with the "security by design" philosophy by proactively addressing vulnerabilities before they can be exploited. Understanding these tools is critical for designing systems that protect data and limit risks.

Cryptography

What is Cryptography?

Cryptography involves using mathematical algorithms to secure data, making it unreadable to anyone without proper authorisation. It ensures the confidentiality, integrity, and sometimes the authenticity of data.

Key Concepts:

Encryption and Decryption: Encryption converts readable data (plaintext) into a scrambled format (ciphertext). Decryption reverses the process using a secret key.
Hashing: A one-way process that converts data into a fixed-length string, often used for password storage.
Symmetric vs. Asymmetric Encryption:
- Symmetric encryption uses one key for both encryption and decryption (e.g., AES).
- Asymmetric encryption uses a public-private key pair, commonly used in SSL/TLS protocols.

How Cryptography Supports Security by Design:

Protects sensitive information during transmission (e.g., HTTPS).
Ensures data integrity by detecting tampering (e.g., digital signatures).
Protects user credentials (e.g., hashed passwords).

Scenario:

The Unsecure PWA transmits user login credentials over HTTP in plaintext. A malicious actor intercepts the credentials using a network sniffer, gaining unauthorised access to user accounts.

Questions:

How could cryptography have prevented the attacker from accessing user credentials?
What kind of cryptographic tools or protocols should the PWA implement to protect data in transit and at rest?

Sandboxing

What is Sandboxing?

Sandboxing is a technique that isolates applications or processes in a controlled environment. If a vulnerability is exploited, the damage is contained within the sandbox, preventing it from affecting the rest of the system.

Key Concepts:

Virtualisation: Sandboxes often use virtual environments to run untrusted code safely.
Least Privilege Principle: Processes in the sandbox are given minimal permissions to limit their impact.
Dynamic Sandboxing: Testing software in a sandboxed environment to identify malicious behaviour.

How Sandboxing Supports Security by Design:

Prevents malicious code from affecting the host system.
Limits the scope of an attack if vulnerabilities are exploited.
Enables safe testing of untrusted code or third-party applications.

Scenario:

The Unsecure PWA uses third-party JavaScript libraries, one of which has an undiscovered vulnerability. An attacker exploits this vulnerability to access the user's file system on the host machine.

Questions:

How could sandboxing have limited the impact of this vulnerability?
What considerations should developers keep in mind when implementing sandboxing for third-party components?

Examples

VirtualBox: a free and open-source virtualization software that allows users to create virtual machines. Students can set up virtual environments to test software and configurations safely.
VMware: a popular virtualization software that students can use to create and run virtual machines for sandboxing purposes.
Windows Sandbox: a feature available in Windows 10 Pro and Enterprise editions that allows users to run applications in an isolated environment. It is a quick and easy way to practice sandboxing on a Windows machine.
Cuckoo Sandbox is an open-source automated malware analysis system that can be used by students to analyse and sandbox potentially malicious software.
Watch: Google Chrome & Security: Sandboxing (2:27) and explore how Chrome has implemented sandboxing to its security design features.
Browser-based sandboxes where users can practice running and testing code in a safe virtual environment include: JSFiddle, CodePen, and Replit.

Page updated

Report abuse