USENIX Association Proceedings of the 9 th USENIX Security Symposium

Designing a suitable con nement mechanism to conne untrusted applications is challenging as such a mechanism needs to satisfy con icting requirements. The main trade-o is between ease of use and exibility. In this paper, we present the design, implementation and evaluation of MAPbox, a con nement mechanism that retains the ease of use of application-class-speci c sandboxes such as the Java applet sandbox and the Janus document viewer sandbox while providing signi cantly more exibility. The key idea is to group application behaviors into classes based on their expected functionality and the resources required to achieve that functionality. Classi cation of application behavior provides a set of labels (e.g., compiler, reader, netclient) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar toMIMEtypes which are widely used to concisely describe the expected format of data les. An end-user lists the set of application behaviors she is willing to allow in a le. With each label, she associates a sandbox that limits access to the set of resources needed to achieve the corresponding behavior. When an untrusted application is to be run, this le is consulted. If the label (or the MAP-type) associated with the application is not found in this le, it is not allowed to run. Else, the MAP-type is used to automatically locate and instantiate the appropriate sandbox. We believe that this may be an acceptable level of user interaction since a similar technique (i.e., MIME-types) has been fairly successful for handling documents with di erent formats. In this paper, we present a set of application behavior classes that we have identi ed based on a study of a diverse suite of applications that includes CGI scripts, programs downloaded from well-known web repositories and applications from the Solaris 5.6 distribution. We describe the implementation and usage of MAPbox. We evaluate MAPbox from two di erent perspectives: its e ectiveness (how well it is able to con ne a suite of untrusted applications) and e ciency (what is the overhead introduced). Finally, we describe our experience with MAPbox and discuss potential limitations of this approach.