Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs

In this paper, we present a new approach for safe execution of untrusted programs. This approach is based on isolating the effects of untrusted program execution from the rest of the system. Isolation is achieved by intercepting and redirecting file modification operations made by the untrusted process so that they access a “modification cache” invisible to other processes in the system. To ensure a consistent view of system state, the results of file read operations made by the untrusted process are modified to incorporate the contents of the modification cache. Any operation with a potential to modify a non-file resource is disallowed for untrusted processes. On termination of an untrusted process, the user is presented with a concise summary of the files modified by it. Additionally, the user can inspect these files to determine if the modifications are acceptable. The user then has the option to commit these modifications, or simply discard them. Essentially, our approach provides “play” and “rewind” buttons for running untrusted software. Key benefits of our approach are that it requires no changes to the untrusted programs (to be isolated) or the underlying operating system; it cannot be subverted by malicious programs; and it achieves these benefits with acceptable runtime overheads. We describe a prototype implementation of this system for Linux called Alcatraz and discuss its performance and effectiveness.