MAPbox: using parameterized behavior classes to confine untrusted applications
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Reusability of Functionality-Based Application Confinement Policy Abstractions
ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
| Hi-index | 0.00 |
In my thesis, I propose a class-specific sandboxing mechanism to confine untrusted applications. The key idea is to identify different application classes like editor, browser, mail client, shell, filter, server etc and to confine applications belonging to each class in a sandbox that is tailored to the expected behavior/requirements of the class. For example, the sandbox for a MIME-mail client could be restricted to allow it to spawn only a set of helper applications explicitly listed in the mailcap file; the sandbox for an editor could be restricted to disallow network accesses and process creation. Such a mechanism retains the ease-of-use of sandboxes while significantly increasing their flexibility. End-users do not need to maintain complex access control lists or interact frequently with the security subsystem; nor do they need to depend solely on a digital signature. They can configure their systems by specifying the set of classes they would like to allow. To evaluate the feasibility of my proposal, I have: (1) defined a set of application classes and have populated them based on a study of system-call traces of commonly used applications; (2) implemented a infrastructure that uses the /proc-interface to confine native binaries; (3) developed configuration files for the different application classes that I have encountered; (4) have integrated this infrastructure with an X proxy that confines untrusted X applications to windows and other X resources that it creates (and a small number of global attributes); (5) evaluated the overhead introduced by this mechanism.