Abstract
The systrace system-call interposition mechanism has become a popular method for containing untrusted code through program-specific policies enforced by user-level daemons. We describe our extensions to systrace that allow sand-boxed processes to further limit their children processes by issuing dynamically constructed policies. We discuss our extensions to the systrace daemon and the OpenBSD kernel, as well as a simple API for constructing simple policies. We present two separate implementations of our scheme, and compare their perfor mance with the base systrace system. We show how our extensions can be used by processes such asftpd, sendmail, and sshd.
Chapter PDF
References
The OpenBSD Operating System, http://www.openbsd.org/.
Acharya, Anurag and Raje, Mandar (2000). Mapbox: Using param eterized behavior classes to confine applications. In Proceedings of the USENIX Security Symposium, pages 1–17.
Alexandrov, A., Kmiec, P., and Schauser, K. (1998). Consh: A con fined execution environment for internet computations.
Balzer, Robert and Goldman, Neil (1999). Mediating connectors: A non-bypassable process wrapping technology. In Proceeding of the 19th IEEE Interna tional Conference on Distributed Computing Systems.
Berman, Andrew, Bourassa, Virgil, and Selberg, Erik (1995). TRON: Process-Specific File Protection for the UNIX Operating System. In Proceedings of the USENIX Technical Conference.
Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. D. (1999). The Key Note Trust Management System Version 2. RFC 2704.
Cowan, Crispin, Beattie, Steve, Pu, Calton, Wagle, Perry, and Gligor, Virgil (2000). Sub Domain: Parsimonious Security for Server Appliances. In Proceedings of the 14th USENIX System Administration Conference.
Custer, Helen (1993). Inside Windows NT. Microsoft Press.
Fraser, Tim, Badger, Lee, and Feldman, Mark (1999). Hardening COTS Software with Generic Software Wrappers. In Proceedings of the IEEE Symposium on Security and Privacy.
Ghormley, Douglas P., Petrou, David, Rodrigues, Steven H., and Anderson, Thomas E. (1998). SLIC: An Extensibility System for Commodity Operating Systems. In Proceedings of the USENIX Technical Conference, pages 39–52.
Goldberg, Ian, Wagner, David, Thomas, Randi, and Brewer, Eric A. (1996). A Secure Environment for Untrusted Helper Applications. In Procedings of the USENIX Technical Conference.
Hardy, Norman (1985). The Key KOS. Operating Systems Review, 19(4):8–25.
Hicks, M., Kakkar, P., Moore, J. T, Gunter, C. A., and Nettles, S. (1998). PLAN: A Programming Language for Active Networks. Technical Report MS-CIS-98–25, Department of Computer and Information Science, University of Pennsylvania.
Leroy, X. (1995). Le système Caml Special Light: modules et compilation effi cace en Caml. Research report 2721, INRIA.
Levin, R., Cohen, E., Corwin, W, and Wulf, W. (1975). Policy/mechanism separation in hydra. In Proceedings of the 5th ACM Symposium on Operating Systems Principles, pages 132–140.
Levy, Jacob Y, Demailly, Laurent, Ousterhout, John K., and Welch, Brent B. (1998). The Safe-Tel Security Model. In Proceedings of the USENIX Technical Conference.
McGraw, Gary and Feiten, Edward W. (1997). Java Security: hos tile applets, holes and antidotes. Wiley, New York, NY.
Mitchem, T., Lu, R., and O’Brien, R. (1997). Using Kernel Hypervi-sors to Secure Applications. In Proceedings of the Annual Computer Security Applications Conference.
Provos, N. (2003). Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium.
Rajunas, S.A., Hardy, N., Bomberger, A.C., Frantz, W.S., and Landau, C.R. (1986). Security in Key KOS. In Proceedings of the IEEE Symposium on Security and Privacy.
Shapiro, Jonathan S., Smith, Jonathan M., and Färber, David J. (1999). EROS: a fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles, pages 170–185.
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Anderson, D., and Lepreau, J. (2000). The flask security architecture: System support for diverse security policies. In Proceedings of the USENIX Security Symposium, pages 123–139.
Tardo, J. and Valente, L. (1996). Mobile Agent Security and Telescript. In Proceedings of the 41st IEEE Computer Society Conference (COMPCON), pages 58–63.
Walker, K. M., Stern, D. F., Badger, L., Oosendorp, K. A., Petkac, M. J., and Sherman, D. L. (1996). Confining root programs with domain and type enforcement. In Proceedings of the USENIX Security Symposium, pages 21–36.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kurchuk, A., Keromytis, A.D. (2004). Recursive Sandboxes: Extending Systrace to Empower Applications. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds) Security and Protection in Information Processing Systems. SEC 2004. IFIP — The International Federation for Information Processing, vol 147. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8143-X_31
Download citation
DOI: https://doi.org/10.1007/1-4020-8143-X_31
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-8016-1
Online ISBN: 978-1-4020-8143-9
eBook Packages: Springer Book Archive