Sandboxing Applications
نویسندگان
چکیده
Users frequently have to choose between functionality and security. When running popular Web browsers or email clients, they frequently find themselves turning off features such as JavaScript, only to switch them back on in order to view a certain site or read a particular message. Users of Unix (or similar) systems can construct a sandbox where such programs execute in a restricted environment. Creating such a sandbox is not trivial; one has to determine what files or services to place within the sandbox to facilitate the execution of the application. In this paper we describe a portable system that tracks the file requests made by applications creating an access log. The same system can then use the access log as a template to regulate file access requests made by sandboxed applications. We present an example of how this system was used to place Netscape Navigator in a sandbox.
منابع مشابه
An invariant framework for conducting reproducible computational science
Computational reproducibility depends on the ability to not only isolate necessary and sufficient computational artifacts but also to preserve those artifacts for later re-execution. Both isolation and preservation present challenges in large part due to the complexity of existing software and systems as well as the implicit dependencies, resource distribution, and shifting compatibility of sys...
متن کاملApplication Specific Sandboxing for Win32/Intel Binaries
Comparing the system call sequence of a network application against a sandboxing policy is a popular approach to detecting control-hijacking attack, in which the attacker exploits such software vulnerabilities as buffer overflow to take over the control of a victim application and possibly the underlying machine. The long-standing technical barrier to the acceptance of this system call monitori...
متن کاملAutomatic Application-Specific Sandboxing for Win32/X86 Binaries
Comparing the system call sequence of a network application against a sandboxing policy is a popular approach to detecting control-hijacking attack, in which the attacker exploits such software vulnerabilities as buffer overflow to grab the control of a victim application and possibly the underlying machine. The main barrier to the acceptance of this system call monitoring approach is the avail...
متن کاملFlexible and Efficient Sandboxing Based on Fine-Grained Protection Domains
Sandboxing is one of the most promising technologies for safely executing potentially malicious applications, and it is becoming an indispensable functionality of modern computer systems. Nevertheless, traditional operating systems provide no special support for sandboxing; a sandbox system is either built in the user level, or directly encoded in the kernel level. In the user-level implementat...
متن کاملSystem M: A Program Logic for Code Sandboxing and Identification
System M: A Program Logic for Code Sandboxing and Identification Report Title Security-sensitive applications that execute untrusted code often check the code’s integrity by comparing its syntax to a known good value or sandbox the code to contain its effects. System M is a new program logic for reasoning about such security-sensitive applications. System M extends Hoare Type Theory (HTT) to tr...
متن کاملUser-Level Sandboxing: a Safe and Efficient Mechanism for Extensibility
Extensible systems allow services to be configured and deployed for the specific needs of individual applications. This paper describes a safe and efficient method for userlevel extensibility that requires only minimal changes to the kernel. A sandboxing technique is described that supports multiple logical protection domains within the same address space at user-level. This approach allows app...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2001