The SPARC architecture manual: version 8
The SPARC architecture manual: version 8
Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Alpha AXP architecture reference manual (2nd ed.)
Alpha AXP architecture reference manual (2nd ed.)
Safe kernel extensions without run-time checking
OSDI '96 Proceedings of the second USENIX symposium on Operating systems design and implementation
Proceedings of the seventeenth ACM symposium on Operating systems principles
Remus: a security-enhanced operating system
ACM Transactions on Information and System Security (TISSEC)
A Flexible Containment Mechanism for Executing Untrusted Code
Proceedings of the 11th USENIX Security Symposium
Linux Security Modules: General Security Support for the Linux Kernel
Proceedings of the 11th USENIX Security Symposium
Using kernel hypervisors to secure applications
ACSAC '97 Proceedings of the 13th Annual Computer Security Applications Conference
Efficient Kernel Support of Fine-Grained Protection Domains for Mobile Code
ICDCS '99 Proceedings of the 19th IEEE International Conference on Distributed Computing Systems
SubDomain: Parsimonious Server Security
LISA '00 Proceedings of the 14th USENIX conference on System administration
MAPbox: using parameterized behavior classes to confine untrusted applications
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
TRON: process-specific file protection for the UNIX operating system
TCON'95 Proceedings of the USENIX 1995 Technical Conference Proceedings
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Confining root programs with domain and type enforcement (DTE)
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
A domain and type enforcement UNIX prototype
SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
Protected shared libraries: a new approach to modularity and sharing
ATEC '97 Proceedings of the annual conference on USENIX Annual Technical Conference
SBOX: put CGI scripts in a box
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Heap protection for Java virtual machines
PPPJ '06 Proceedings of the 4th international symposium on Principles and practice of programming in Java
Guarding security sensitive content using confined mobile agents
Proceedings of the 2007 ACM symposium on Applied computing
GWiQ-P: an efficient decentralized grid-wide quota enforcement protocol
ACM SIGOPS Operating Systems Review
Java heap protection for debugging native methods
Science of Computer Programming
Supporting dynamic update and resource protection in an embedded operating system
Proceedings of the 2011 ACM Symposium on Applied Computing
Hi-index | 0.00 |
Sandboxing is one of the most promising technologies for safely executing potentially malicious applications, and it is becoming an indispensable functionality of modern computer systems. Nevertheless, traditional operating systems provide no special support for sandboxing; a sandbox system is either built in the user level, or directly encoded in the kernel level. In the user-level implementation, sandbox systems are implemented by using support for debuggers, and the resulting systems are unacceptably slow. In the kernel-level implementation, users are obliged to use a specific sandbox system. However, users should be able to choose an appropriate sandbox system depending on target applications, because sandbox systems are usually designed for specific classes of applications. This paper presents a generic framework on top of which various sandbox systems can be implemented easily and efficiently. The presented framework has three advantages. First, users can selectively use the appropriate sandbox systems depending on the target applications. Second, the resulting sandbox systems are efficient enough and the performance is comparable to that of kernel-implemented sandbox systems. Finally, a wide range of sandbox systems can be implemented in the user level, thereby facilitating the introduction of new sandboxing systems in the user level. The presented framework is based on the mechanism of fine-grained protection domains that have been previously proposed by the authors.