Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash 92 tok/s
Gemini 2.5 Pro 49 tok/s Pro
GPT-5 Medium 32 tok/s
GPT-5 High 40 tok/s Pro
GPT-4o 83 tok/s
GPT OSS 120B 467 tok/s Pro
Kimi K2 197 tok/s Pro
2000 character limit reached

On the Feasibility of CubeSats Application Sandboxing for Space Missions (2404.04127v1)

Published 5 Apr 2024 in cs.CR

Abstract: This paper details our journey in designing and selecting a suitable application sandboxing mechanism for a satellite under development, with a focus on small satellites. Central to our study is the development of selection criteria for sandboxing and assessing its appropriateness for our satellite payload. We also test our approach on two already operational satellites, Suchai and SALSAT, to validate its effectiveness. These experiments highlight the practicality and efficiency of our chosen sandboxing method for real-world space systems. Our results provide insights and highlight the challenges involved in integrating application sandboxing in the space sector.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (47)
  1. Y. Bentoutou and M. Djaifri, “Observations of single-event upsets and multiple-bit upsets in random access memories on-board the algerian satellite,” in 2008 IEEE Nuclear Science Symposium Conference Record, 2008, pp. 2568–2570.
  2. A. Bijlani and U. Ramachandran, “A lightweight and fine-grained file system sandboxing framework,” in Proceedings of the 9th Asia-Pacific Workshop on Systems.   ACM, 2018, pp. 17:1–17:7.
  3. E. Billoir, R. Laborde, A. S. Wazan, Y. Rütschlé, and A. Benzekri, “Implementing the principle of least privilege using linux capabilities: Challenges and perspectives,” in 2023 7th Cyber Security in Networking Conference (CSNet), Oct 2023, pp. 130–136.
  4. I. Borate and R. Chavan, “Sandboxing in linux: From smartphone to cloud,” International Journal of Computer Applications, vol. 148, no. 8, 2016.
  5. T. Bui, “Analysis of docker security,” CoRR, vol. abs/1501.02967, 2015. [Online]. Available: http://arxiv.org/abs/1501.02967
  6. A. Campbell, P. McDonald, and K. Ray, “Single event upset rates in space,” IEEE Transactions on Nuclear Science, vol. 39, no. 6, pp. 1828–1835, 1992.
  7. containers, “Bubblewrap: A tool for constructing sandbox environments,” https://github.com/containers/bubblewrap, bubblewrap is a tool for constructing sandbox environments, which can provide different levels of security and filesystem layout changes based on the arguments passed to it. It is not a complete, ready-made sandbox with a specific security policy.
  8. A. Crespo, I. Ripoll, and M. Masmano, “Partitioned embedded architecture based on hypervisor: The xtratum approach,” in 2010 European Dependable Computing Conference.   IEEE, 2010, pp. 67–72.
  9. M. Diaz, J. Zagal, C. Falcon, M. Stepanova, J. Valdivia, M. Martinez-Ledesma, J. Diaz-Peña, F. Jaramillo, N. Romanova, E. Pacheco, M. Milla, M. Orchard, J. Silva, and F. Mena, “New opportunities offered by cubesats for space research in latin america: The suchai project case,” Advances in Space Research, vol. 58, no. 10, pp. 2134–2147, 2016, space and Geophysical Research related to Latin America - Part 2. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0273117716303106
  10. B. Djordjevic, V. Timcenko, N. Kraljevic, and N. Macek, “File system performance comparison in full hardware virtualization with esxi, kvm, hyper-v and xen hypervisors.” Advances in Electrical & Computer Engineering, vol. 21, no. 1, 2021.
  11. T. DOCKER, “4. from chroot over containers,” Future Internet (FI) and Innovative Internet Technologies and Mobile Communications (IITM), vol. 2, 2016.
  12. G. Falco, A. Viswanathan, and A. Santangelo, “Cubesat security attack tree analysis,” in 2021 IEEE 8th International Conference on Space Mission Challenges for Information Technology (SMC-IT).   IEEE, 2021, pp. 68–76.
  13. J. Fisher-Ogden, “Hardware support for efficient virtualization,” University of California, San Diego, Tech. Rep, vol. 12, pp. 1–12, 2006.
  14. S. Gecgel and G. K. Kurt, “Intermittent jamming against telemetry and telecommand of satellite systems and a learning-driven detection strategy,” in Proceedings of the 3rd ACM workshop on wireless security and machine learning, 2021, pp. 43–48.
  15. C. E. Gonzalez, C. J. Rojas, A. Bergel, and M. A. Diaz, “An architecture-tracking approach to evaluate a modular and extensible flight software for cubesat nanosatellites,” IEEE Access, vol. 7, pp. 126 409–126 429, 2019.
  16. Google, “nsjail: A lightweight process isolation tool,” https://github.com/google/nsjail, a lightweight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters.
  17. A. Gruenbacher and S. Arnold, “Apparmor technical documentation,” 2007.
  18. V. Gupta, “Analysis of single event radiation effects and fault mechanisms in SRAM, FRAM and NAND Flash : application to the MTCube nanosatellite project,” Theses, Université Montpellier, Jul. 2017. [Online]. Available: https://theses.hal.science/tel-01954572
  19. F. Hagfjäll and M. Bäckman, “Application security for embedded systems,” Master’s thesis, Lund University, Faculty of Engineering, LTH, 2017, available at: https://www.eit.lth.se/sprapport.php?uid=1032.
  20. J. Jia, Y. Zhu, D. Williams, A. Arcangeli, C. Canella, H. Franke, T. Feldman-Fitzthum, D. Skarlatos, D. Gruss, and T. Xu, “Programmable system call security with ebpf,” 2023.
  21. M. Lee, A. S. Krishnakumar, P. Krishnan, N. Singh, and S. Yajnik, “Supporting soft real-time tasks in the xen hypervisor,” SIGPLAN Not., vol. 45, no. 7, p. 97–108, mar 2010. [Online]. Available: https://doi.org/10.1145/1837854.1736012
  22. S. Macenski, T. Foote, B. Gerkey, C. Lalancette, and W. Woodall, “Robot operating system 2: Design, architecture, and uses in the wild,” Science Robotics, vol. 7, no. 66, p. eabm6074, 2022. [Online]. Available: https://www.science.org/doi/abs/10.1126/scirobotics.abm6074
  23. G. Marra, “isolationTester,” 2024, accessed: 2024-03-17. [Online]. Available: https://github.com/gabrielemarra/isolationTester
  24. N. Medvidovic, “On the role of middleware in architecture-based software development,” in Proceedings of the 14th International Conference on Software Engineering and Knowledge Engineering, ser. SEKE ’02.   New York, NY, USA: Association for Computing Machinery, 2002, p. 299–306. [Online]. Available: https://doi.org/10.1145/568760.568814
  25. G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel virtualization technology: Hardware support for efficient processor virtualization.” Intel Technology Journal, vol. 10, no. 3, 2006.
  26. netblue30, “firejail: Linux namespaces and seccomp-bpf sandbox,” https://github.com/netblue30/firejail, linux namespaces and seccomp-bpf sandbox.
  27. J. F. (né Großhans), P. Wüstenberg, A. Balke, T. Vanichangkul, M. Pust, E. Stoll, and S. Voigt, “Salsat: First mission results of the global rf spectrum analysis in the vhf, uhf and space research bands measured by the spectrum analysis satellite,” in 73rd International Astronautical Congress (IAC), 2022, pp. IAC–22–B2,4,8.
  28. P. Olivier, J. Boukhobza, and E. Senn, “On benchmarking embedded linux flash file systems,” 2012.
  29. J. Pavur and I. Martinovic, “Building a launchpad for satellite cyber-security research: lessons from 60 years of spaceflight,” Journal of Cybersecurity, vol. 8, no. 1, p. tyac008, 2022.
  30. R. Peled, E. Aizikovich, E. Habler, Y. Elovici, and A. Shabtai, “Evaluating the security of satellite systems,” arXiv preprint arXiv:2312.01330, 2023.
  31. PHYTEC, “phycore®-i.mx 7 arm cortex™-a7/-m4,” 2024, last accessed: 12.01.2024. [Online]. Available: https://www.phytec.de/produkte/system-on-modules/phycore-imx-7/
  32. I. A. Raknes, B. Fjukstad, and L. A. Bongo, “nsroot: Minimalist process isolation tool implemented with linux namespaces,” arXiv preprint arXiv:1609.03750, 2016.
  33. RapidLua, “sandals: A lightweight process isolation tool for linux,” https://github.com/rapidlua/sandals, 2023, a lightweight process isolation tool for Linux, built using Linux namespaces, cgroups v2, and seccomp-bpf syscall filters.
  34. R. Rosen, “Resource management: Linux kernel namespaces and cgroups,” Haifux, May, vol. 186, p. 70, 2013.
  35. A. D. Santangelo, QuickSAT-ARLX: An Open Source Space Hypervisor. [Online]. Available: https://arc.aiaa.org/doi/abs/10.2514/6.2014-1047
  36. T. Scharnowski, F. Buchmann, S. Wörner, and T. Holz, “A case study on fuzzing satellite firmware.”
  37. S. Smalley, “Configuring the selinux policy,” NAI Labs Rep, pp. 02–007, 2002.
  38. Y. Sun, D. Safford, M. Zohar, D. Pendarakis, Z. Gu, and T. Jaeger, “Security namespace: making linux security frameworks available to containers,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 1423–1439.
  39. Technical University of Berlin, “Raccoon project,” https://www.tu.berlin/en/raumfahrttechnik/research/current-projects/raccoon, 2024, accessed: 2024-03-17.
  40. J. G. Tront, J. R. Armstrong, and J. V. Oak, “Software techniques for detecting single-event upsets in satellite computers,” IEEE Transactions on Nuclear Science, vol. 32, no. 6, pp. 4225–4228, 1985.
  41. United Nations Office for Outer Space Affairs, “Online index of objects launched into outer space,” 2023, [Online]. Available: https://www.unoosa.org/oosa/osoindex/.
  42. L. Vokorokos, A. Baláž, and B. Madoš, “Application security through sandbox virtualization,” Acta Polytechnica Hungarica, vol. 12, no. 1, pp. 83–101, 2015.
  43. H. Q. Vu, J. Großhans, P. Wüstenberg, M. Pust, and K. Brieß, “Systematic approach for the cost-efficient reengineering of an existing satellite for a new mission with additional payloads, for example, on the salsat mission,” in 70rd International Astronautical Congress (IAC), 2019, pp. IAC–19–D1.4.B.
  44. Z. Wan, D. Lo, X. Xia, and L. Cai, “Practical and effective sandboxing for linux containers,” Empirical Software Engineering, vol. 24, pp. 4034–4070, 2019.
  45. J. Willbold, M. Schloegel, M. Vögele, M. Gerhardt, T. Holz, and A. Abbasi, “Space odyssey: An experimental software security analysis of satellites,” in IEEE Symposium on Security and Privacy, May 2023. [Online]. Available: https://publications.cispa.saarland/3934/
  46. C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman, “Linux security modules: General security support for the linux kernel,” in 11th USENIX Security Symposium (USENIX Security 02), 2002.
  47. R. Yasrab, “Mitigating docker security issues,” CoRR, vol. abs/1804.05039, 2018. [Online]. Available: http://arxiv.org/abs/1804.05039
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Follow-up Questions

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Don't miss out on important new AI/ML research

See which papers are being discussed right now on X, Reddit, and more:

Explore Trending Papers

“Emergent Mind helps me see which AI papers have caught fire online.”

Philip

Philip

Creator, AI Explained on YouTube