Designing a suitable confinement mechanism to confine untrusted applications is challenging as such a mechanism needs to satisfy conflicting requirements. The main trade-off is between ease of use and flexibility. In this paper, we present the design, implementation and evaluation of MAPbox, a confinement mechanism that retains the ease of use of application-class-specific sandboxes such as the Java applet sandbox and the Janus document viewer sandbox while providing significantly more flexibility. The key idea is to group application behaviors into classes based on their expected functionality and the resources required to achieve that functionality. Classification of application behavior provides a set of labels (e.g., compiler, reader, netclient) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar to MIME-types which are widely used to concisely describe the expected format of data files. An end-user lists the set of application behaviors she is willing to allow in a file. With each label, she associates a sandbox that limits access to the set of resources needed to achieve the corresponding behavior. When an untrusted application is to be run, this file is consulted. If the label (or the MAP-type) associated with the application is not found in this file, it is not allowed to run. Else, the MAP-type is used to automatically locate and instantiate the appropriate sandbox. We believe that this may be an acceptable level of user interaction since a similar technique (i.e., MIME-types) has been fairly successful for handling documents with different formats. In this paper, we present a set of application behavior classes that we have identified based on a study of a diverse suite of applications that includes CGI scripts, programs downloaded from well-known web repositories and applications from the Solaris 5.6 distribution. We describe the implementation and usage of MAPbox. We evaluate MAPbox from two different perspectives: its effectiveness (how well it is able to confine a suite of untrusted applications) and effciency (what is the overhead introduced). Finally, we describe our experience with MAPbox and discuss potential limitations of this approach.
[1]
Vijay Sureshkumar.
Java security
,
1998
.
[2]
Todd Gamble.
Implementing Execution Controls in Unix
,
1993,
LISA.
[3]
Karl N. Levitt,et al.
Automated detection of vulnerabilities in privileged programs by execution monitoring
,
1994,
Tenth Annual Computer Security Applications Conference.
[4]
Daniel F. Sterne,et al.
Confining Root Programs with Domain and Type Enforcement
,
1996,
USENIX Security Symposium.
[5]
Li Gong,et al.
New security architectural directions for Java
,
1997,
COMPCON.
[6]
William D. Young,et al.
Secure Ada Target: Issues, System Design, and Verification
,
1985,
1985 IEEE Symposium on Security and Privacy.
[7]
Vipin Chaudhary,et al.
History-based access control for mobile code
,
1998,
CCS '98.
[8]
Fred B. Schneider,et al.
Enforceable security policies
,
2000,
TSEC.
[9]
Paul A. Karger,et al.
Limiting the Damage Potential of Discretionary Trojan Horses
,
1987,
1987 IEEE Symposium on Security and Privacy.
[10]
Scott Oaks,et al.
Java Security
,
1998
.
[11]
Karen R. Sollins,et al.
Expanding and Extending the Security Features of Java
,
1998,
USENIX Security Symposium.
[12]
Dan S. Wallach,et al.
Extensible security architectures for Java
,
1997,
SOSP.
[13]
Lincoln Stein,et al.
The Advanced Computing Systems Association Sbox: Put Cgi Scripts in a Box Sbox: Put Cgi Scripts in a Box
,
2022
.
[14]
Ian Goldberg,et al.
A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker )
,
1996
.
[15]
Atul Prakash,et al.
Building systems that flexibly control downloaded executable context
,
1996
.
[16]
Chris J. Scheiman,et al.
Extending the operating system at the user level: the Ufo global file system
,
1997
.
[17]
Klaus Erik Schauser,et al.
Consh: Confined Execution Environment for Internet Computations
,
1998
.
[18]
Mandar Raje.
Behavior-based Confinement of Untrusted Applications
,
1999
.