SKETHIC: Secure Kernel Extension against Trojan Horses with Information-Carrying Codes
ACISP '01 Proceedings of the 6th Australasian Conference on Information Security and Privacy
Identity Boxing: A New Technique for Consistent Global Identity
SC '05 Proceedings of the 2005 ACM/IEEE conference on Supercomputing
Towards a Security Model to Bridge Internet Desktop Grids and Service Grids
Euro-Par 2008 Workshops - Parallel Processing
Interoperability of BOINC and EGEE
Future Generation Computer Systems
| Hi-index | 0.01 |
Designing a suitable mechanism to confine commonly used applications is challenging as such a mechanism needs to satisfy conflicting requirements. The trade-off is between configurability and ease of use. In this paper, we present the design, implementation and evaluation of MAPbox, a general-purpose confinement mechanism that retains the ease of use of specialized sandboxes such as Janus and SBOX while providing significantly more configurability. The key idea is to group application behaviors into classes based on the expected functionality and the resources required to achieve that functionality. Classification of behaviors provides a set of behavior labels (class names) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar to the MIME-types used to concisely describe the expected format of data files. Classification of application behaviors also allows class-specific sandboxes to be built and instantiated for each behavior class. We present a study of the behavior and resource requirements of a set of commonly used applications and use the results of this study to define a set of application behavior classes. We also evaluate how effective this technique is in confining a variety of commonly used applications and how much overhead it introduces.