Hybrid Isolation Model for Device Application Sandboxing Deployment in Zero Trust Architecture

Abstract

With recent cyber security attacks, “border defense” security protection mechanism has been repeatedly infiltrated breakthrough, and the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea of “Never Trust, Always Verify” – Zero Trust was proposed. The device application sandbox deployment model is one of the four essential zero trust architecture device deployment models. Isolation sandboxes isolate trusted applications from potential threats. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior (AB-HIM) and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, zero trust architecture device application sandboxing deployment environment based on containers and Linux security module implements the security model. And aiming at the same container escape vulnerability, we make security comparison experiments. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in zero trust architecture.