A Sandbox with a Dynamic Policy Based on Execution Contexts of Applications

  • Tomohiro Shioya
  • Yoshihiro Oyama
  • Hideya Iwasaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4846)


We propose a sandbox system that dynamically changes its behavior according to the application’s execution context. Our system allows users to give different policies, each of which specifies permitted system calls, depending on the user functions in which the target application is executing. The target application can be given less privilege than would be possible with other single-policy sandbox systems. We implemented the sandbox by using LKM (Loadable Kernel Module) of Linux that intercepts the system call issued by the application process. We experimentally demonstrated the effectiveness of the sandbox.


System Call Intrusion Detection System Target Application Malicious Code Library Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acharya, A., Raje, M.: MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications. In: Proc. 9th USENIX Security Symposium, pp. 1–17 (2000)Google Scholar
  2. 2.
    Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P., Gligor, V.: SubDomain: Parsimonious Server Security. In: Proc. 14th Systems Administration Conference (LISA 2000) (2000)Google Scholar
  3. 3.
    Hanping Feng, H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proc. 2003 IEEE Symposium on Security and Privacy, pp. 62–75 (2003)Google Scholar
  4. 4.
    Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself Discrimination in a Computer. In: Proc. 1994 IEEE Symposium on Research in Security and Privacy, pp. 202–212 (1994)Google Scholar
  5. 5.
    Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A Secure Environment for Untrusted Helper Applications. In: Proc. 6th USENIX Security Symposium, pp. 1–14 (1996)Google Scholar
  6. 6.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating Mimicry Attacks Using Static Binary Analysis. In: Proc. 14th Conference on USENIX Security Symposium, pp. 161–176 (2005)Google Scholar
  7. 7.
    Kurchuk, A., Keromytis, A.: Recursive Sandboxes: Extending Systrace to Empower Applications. In: Proc. 19th IFIP International Information Security Conference, pp. 473–487 (2004)Google Scholar
  8. 8.
    Peterson, D.S., Bishop, M., Pandey, R.: A Flexible Containment Mechanism for Executing Untrusted Code. In: Proc. 11th USENIX Security Symposium, pp. 207–225 (2002)Google Scholar
  9. 9.
    Provos, N.: Improving Host Security with System Call Policies. In: Proc. 12th USENIX Security Symposium, pp. 257–272 (2003)Google Scholar
  10. 10.
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  11. 11.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proc. 2001 IEEE Symposium on Security and Privacy, pp. 144–155 (2001)Google Scholar
  12. 12.
    Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proc. 9th ACM Conference on Computer and communications security, pp. 255–264 (2002)Google Scholar
  13. 13.
    Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible Security Architectures for Java. In: Proc. 16th ACM Symposium on Operating Systems Principles, pp. 116–128 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Tomohiro Shioya
    • 1
  • Yoshihiro Oyama
    • 1
  • Hideya Iwasaki
    • 1
  1. 1.The University of Electro-Communications 

Personalised recommendations