Abstract
We propose a sandbox system that dynamically changes its behavior according to the application’s execution context. Our system allows users to give different policies, each of which specifies permitted system calls, depending on the user functions in which the target application is executing. The target application can be given less privilege than would be possible with other single-policy sandbox systems. We implemented the sandbox by using LKM (Loadable Kernel Module) of Linux that intercepts the system call issued by the application process. We experimentally demonstrated the effectiveness of the sandbox.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Acharya, A., Raje, M.: MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications. In: Proc. 9th USENIX Security Symposium, pp. 1–17 (2000)
Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., Gligor, V.: SubDomain: Parsimonious Server Security. In: Proc. 14th Systems Administration Conference (LISA 2000) (2000)
Hanping Feng, H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proc. 2003 IEEE Symposium on Security and Privacy, pp. 62–75 (2003)
Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself Discrimination in a Computer. In: Proc. 1994 IEEE Symposium on Research in Security and Privacy, pp. 202–212 (1994)
Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A Secure Environment for Untrusted Helper Applications. In: Proc. 6th USENIX Security Symposium, pp. 1–14 (1996)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating Mimicry Attacks Using Static Binary Analysis. In: Proc. 14th Conference on USENIX Security Symposium, pp. 161–176 (2005)
Kurchuk, A., Keromytis, A.: Recursive Sandboxes: Extending Systrace to Empower Applications. In: Proc. 19th IFIP International Information Security Conference, pp. 473–487 (2004)
Peterson, D.S., Bishop, M., Pandey, R.: A Flexible Containment Mechanism for Executing Untrusted Code. In: Proc. 11th USENIX Security Symposium, pp. 207–225 (2002)
Provos, N.: Improving Host Security with System Call Policies. In: Proc. 12th USENIX Security Symposium, pp. 257–272 (2003)
Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proc. 2001 IEEE Symposium on Security and Privacy, pp. 144–155 (2001)
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proc. 9th ACM Conference on Computer and communications security, pp. 255–264 (2002)
Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible Security Architectures for Java. In: Proc. 16th ACM Symposium on Operating Systems Principles, pp. 116–128 (1997)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shioya, T., Oyama, Y., Iwasaki, H. (2007). A Sandbox with a Dynamic Policy Based on Execution Contexts of Applications. In: Cervesato, I. (eds) Advances in Computer Science – ASIAN 2007. Computer and Network Security. ASIAN 2007. Lecture Notes in Computer Science, vol 4846. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76929-3_28
Download citation
DOI: https://doi.org/10.1007/978-3-540-76929-3_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76927-9
Online ISBN: 978-3-540-76929-3
eBook Packages: Computer ScienceComputer Science (R0)