A Flexible Containment Mechanism for Executing Untrusted Code
نویسندگان
چکیده
A widely used technique for securing computer systems is to execute programs inside protection domains that enforce established security policies. These containers, often referred to as sandboxes, come in a variety of forms. Although current sandboxing techniques have individual strengths, they also have limitations that reduce the scope of their applicability. In this paper, we give a detailed analysis of the options available to designers of sandboxing mechanisms. As we discuss the tradeoffs of various design choices, we present a sandboxing facility that combines the strengths of a wide variety of design alternatives. Our design provides a set of simple yet powerful primitives that serve as a flexible, general-purpose framework for confining untrusted programs. As we present our work, we compare and contrast it with the work of others and give preliminary results.
منابع مشابه
Efficient, Verifiable Binary Sandboxing for a CISC Architecture
Executing untrusted code while preserving security requires enforcement of memory and control-flow safety policies: untrusted code must be prevented from modifying memory or executing code except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces those policies by rewriting the untrusted code at the level of individual instructions. However, the original sandbo...
متن کاملSecurity in Untrusted Code Environments: Missing Pieces of the Puzzle
Security enforcement mechanisms for controlling the execution of untrusted component code have evolved away from the strict sandbox confinement toward more flexible code access security. Although the added flexibility has enabled richer functionality and support for more fine-grained policies, component-based security architectures such as Java and .NET still fail to provide several essential f...
متن کاملEvaluating SFI for a CISC Architecture
Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architecture...
متن کاملExtending Tamper-Proof Hardware Security to Untrusted Execution Environments
This paper addresses mobile code protection with respect to potential integrity and confidentiality violations originating from the untrusted runtime environment where the code execution takes place. Both security properties are defined in a framework where code is modeled using Boolean circuits. Two protection schemes are presented. The first scheme addresses the protection of a function that ...
متن کاملA Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems
Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2002