Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
A hierarchial CPU scheduler for multimedia operating systems
OSDI '96 Proceedings of the second USENIX symposium on Operating systems design and implementation
The design, implementation and evaluation of SMART: a scheduler for multimedia applications
Proceedings of the sixteenth ACM symposium on Operating systems principles
Resource containers: a new facility for resource management in server systems
OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Modular real-time resource management in the Rialto operating system
HOTOS '95 Proceedings of the Fifth Workshop on Hot Topics in Operating Systems (HotOS-V)
Automatic Configuration and Run-time Adaptation of Distributed Applications
HPDC '00 Proceedings of the 9th IEEE International Symposium on High Performance Distributed Computing
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
The eclipse operating system: providing quality of service via reservation domains
ATEC '98 Proceedings of the annual conference on USENIX Annual Technical Conference
CPU reservations and time constraints: implementation experience on windows NT
WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium - Volume 3
Detours: binary interception of Win32 functions
WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium - Volume 3
Expressing and enforcing distributed resource sharing agreements
Proceedings of the 2000 ACM/IEEE conference on Supercomputing
A Framework for Automatic Adaptation of Tunable Distributed Applications
Cluster Computing
Fine-Grain Authorization for Resource Management in the Grid Environment
GRID '02 Proceedings of the Third International Workshop on Grid Computing
Enforcing Resource Sharing Agreements among Distributed Server Clusters
IPDPS '02 Proceedings of the 16th International Parallel and Distributed Processing Symposium
A Flexible Containment Mechanism for Executing Untrusted Code
Proceedings of the 11th USENIX Security Symposium
A Contract-Based Approach of Resource-Constrained Software Deployment
CD '02 Proceedings of the IFIP/ACM Working Conference on Component Deployment
Supporting E-commerce in Wireless Networks
IMWS '01 Revised Papers from the NSF Workshop on Developing an Infrastructure for Mobile and Wireless Systems
DELI: a new run-time control point
Proceedings of the 35th annual ACM/IEEE international symposium on Microarchitecture
JASON: an open platform for discovering and hosting applications in ad hoc networks
UbiMob '04 Proceedings of the 1st French-speaking conference on Mobility and ubiquity computing
Speculative Security Checks in Sandboxing Systems
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18
DGMonitor: A Performance Monitoring Tool for Sandbox-Based Desktop Grid Platforms
The Journal of Supercomputing
Secure Bit: Transparent, Hardware Buffer-Overflow Protection
IEEE Transactions on Dependable and Secure Computing
Aspect-oriented application-level scheduling for J2EE servers
Proceedings of the 6th international conference on Aspect-oriented software development
Application-Level Scheduling Using AOP
Transactions on Aspect-Oriented Software Development V
Automatic creation and reconfiguration of network-aware service access paths
Computer Communications
Interceptor: middleware-level application segregation and scheduling for P2P systems
IPDPS'06 Proceedings of the 20th international conference on Parallel and distributed processing
Journal of Systems and Software
Application-specific service technologies for commodity operating systems in real-time environments
ACM Transactions on Embedded Computing Systems (TECS)
Hi-index | 0.00 |
The popularity of mobile and networked applications has resulted in an increased demand for execution "sandboxes"--environments that impose irrevocable restrictions on resource usage. Existing approaches rely on kernel modification for enforcing quantitative restrictions (e.g., limiting CPU utilization of an application to 25%). However, the general applicability of such approaches is constrained by the difficulty of modifying shrink-wrapped operating systems such as Windows NT. This paper presents a user-level sandboxing approach for enforcing quantitative restrictions on resource usage of applications. Our approach actively monitors an application's interactions with the underlying system, proactively controlling them to enforce the desired behavior. Our approach leverages a core set of user-level mechanisms that are available in most modern operating systems: fine-grained timers, monitoring infrastructure, debugger processes, priority-based scheduling, and page-based memory protection. We describe implementation of a sandbox on Windows NT that imposes quantitative restrictions on CPU, memory, and network usage. Our results show that application usage of system resources can be restricted to within 3% of desired limits with minimal run-time overhead.