A wrapper has been developed that monitors the runtime behavior of opened email attachments to ensure that these processes do not do anything harmful. The wrapper detects violations of process-specific rules establishing the acceptable (and safe) behavior of these processes relative to four resources: the file system, the system registry, inter-host communication, and process spawning. The wrapper can determine whether an operation is being performed by the native application or by active content within the email attachment and applies a different (and presumably more stringent) set of rules to the latter. When attempted violations are detected, the user is notified and informed of the severity of the violation. The user determines whether to allow or prohibit the offending operation. The violation, the user's response, and the initiating email and attachment-obtained from the email client-are logged.
[1]
Galen C. Hunt,et al.
Detours: binary interception of Win32 functions
,
1999
.
[2]
S. Mnsman,et al.
System or security managers adaptive response tool
,
2000,
Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.
[3]
R. M. Balzer,et al.
Mediating connectors: a non-bypassable process wrapping technology
,
2000,
Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.
[4]
Timothy Fraser,et al.
Hardening COTS software with generic software wrappers
,
1999,
Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).