IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [isolation]

Any means of preventing data transfer between two systems. Typically this means isolating processes or VMs through sandboxing, or isolating network or physical resources through firewalls or air-gapping.

In security, "isolation" means preventing data transfer between two systems. Typically this means isolating processes or VMs through sandboxing, or isolating network or physical resources through firewalls or air-gapping.

Isolation can be two-way - as in a proper air-gap - or one-way - as in a host accessing a VM but not the other way around.

47 questions
307
votes
9 answers

What makes Docker more secure than VMs or bare metal?

I recently had a discussion with a Docker expert about the security of Docker vs. virtual machines. When I told that I've read from different sources that it's easier for code running within a Docker container to escape from it than for a code…
Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
25
votes
6 answers

Cheapest and tiniest acoustic isolation for smartphone?

What is the cheapest/convenient way to isolate a mobile phone from recording with microphone? My constraints: The cellphone has to stay in the room, I can't put it outside Maximum 100$ solution Must not take more than 30 seconds to put in and out…
Totem
  • 351
  • 3
  • 6
8
votes
1 answer

Do any non-GNU/Linux display managers provide the same isolation as Wayland?

In discussions around the ongoing transition from X.org to Wayland, I regularly come across comments along the lines of "Linux security is not there yet". This refers to Wayland's promise of better (but not perfect) desktop isolation (e.g.…
lofidevops
  • 3,550
  • 6
  • 23
  • 32
7
votes
2 answers

What is the easiest way to sandbox an application in a *NIX environment?

I have a significant number of untrusted binary applications that need to be executed on a *nix box. I'm hoping that there might be some simple command/script (e.g. sandbox ./app1953) that could easily be used to isolate a single application from…
Stack Tracer
  • 514
  • 2
  • 5
  • 14
7
votes
2 answers

Does Windows Subsystem for Linux provide additional security (VM-like isolation) over running native Windows programs?

On a Windows 10 machine, is it safer to run the Linux version of a browser using Windows Subsystem for Linux instead of running the Windows version? I'm asking because I've read the Wikipedia article on Windows Subsystem for Linux (WSL), and I'm not…
Fabio says Reinstate Monica
  • 556
  • 1
  • 7
  • 16
5
votes
1 answer

VLAN Device Isolation - Feasibility

To mitigate the risk of malware propagating through a network, how reasonable is it to place each and every device on its own VLAN (complete isolation)? Note: The devices do not need to communicate to each other at all. Secondary…
SheerKahn
  • 55
  • 5
5
votes
1 answer

VM vs System Call Interposition vs Software Fault Isolation

I have an exe file that I don't trust (maybe its infected with malware). I know that running it in a VM will isolate the exe file from my system, but what about using mechanisms such as System Call Interposition or Software Fault Isolation? Is…
Zorx
  • 51
  • 1
4
votes
1 answer

Local server applications using a web frontend on multi-user desktop environments

Currently I have multi-user linux servers where developers access through remote desktop and use the session as work environment. But I'm a bit concerned about the increasing popularity of applications applications using a localhost port to…
sligor
  • 41
  • 3
4
votes
1 answer

Will wireless isolation/AP isolation protect from KRACK?

Will using AP isolation on an Access Point protect connected clients from the KRACK vulnerability on that network?
Daniel
  • 151
  • 1
  • 6
4
votes
2 answers

Sandbox escape of an isolated turing complete language?

Ethereum's Solidity documentation states: The Ethereum Virtual Machine or EVM is the runtime environment for smart contracts in Ethereum. It is not only sandboxed but actually completely isolated, which means that code running inside the EVM has no…
Steve Ellis
  • 215
  • 1
  • 4
3
votes
1 answer

Prevent reflecting page modified by browser extension

Suppose there is a trusted browser extension in a chrome browser that modifies the web page (like editing DOM, appending scripts, etc) I don't want anyone but me to see the page modified by this extension, as it could now contain sensitive data.…
kupihleba
  • 387
  • 1
  • 7
3
votes
1 answer

Allow only single aplication to access files on USB stick with Linux namespaces

It looks like i found a way to allow only single application to access files in USB storage. This script must be run with sudo. #!/bin/bash # create namespace unshare -m<
anon432
  • 31
  • 1
3
votes
1 answer

Is there any technology that allows to run code in untrusted environment?

Imagine, your computer is controlled and your traffic is watched (MitM) . For example environment can create a snapshot of process and record a traffic. Is there any chance to run code and prevent it from external inspection at level when it will…
zoonman
  • 141
  • 5
3
votes
2 answers

Why is there no smartphone OS-style app isolation on PC systems?

Smartphones OSes like Android and iOS come with a lot of security features, one of the most useful to me being app isolation. In my understanding, each app installed has a space reserved, and can only access its data. This prevents a malicious app,…
Hey
  • 1,905
  • 1
  • 16
  • 23
2
votes
2 answers

Security of untrusted Docker containers

If I want to run untrusted code inside a Docker container, or an untrusted Docker container for that matter, how can I restrict it? I'd like to make sure it has no access to the host filesystem. Ideally I'd like it to have limited network access:…
SRobertJames
  • 245
  • 1
  • 7
1
2 3 4