Abstract
In this paper, we present a new approach called Secure Virtual Execution Environment (SVEE) which enables users to “try out” untrusted software without the fear of damaging the system in any manner. A key feature of SVEE is that it implements the OS isolation by executing untrusted code in a hosted virtual machine. Another key feature is that SVEE faithfully reproduces the behavior of applications, as if they were running natively on the underlying host OS. SVEE also provides a convenient way to compare the changes within SVEE and host OS. Referring to these comparison results, users can make a decision to commit these changes or not. With these powerful characteristics, SVEE supports a wide range of tasks, including the study of malicious code, controlled execution of untrusted software and so on. This paper focuses on the execution model of SVEE and the security evaluation for this model.
Chapter PDF
Similar content being viewed by others
References
Goldberg, R.P.: Architectural Principles for Virtual Computer Systems, Ph.D. Thesis. Harvard University, Cambridge, MA (1972)
Adams, K., Agesen, O.: A Comparison of Software and Hardware Techniques for x86 Virtualization. In: Proceedings of The 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2006), pp. 2–13 (2006)
Sun, W., Liang, Z., Sekar, R., Venkatakrishnany, V.N.: One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. ISOC Network and Distributed System Security (NDSS 2005) (2005)
Liu, P., Jajodia, S., McCollum, C.D.: Intrusion confinement by isolation in information systems. Journal of Computer Security 8, 243–279 (2000)
ScottRobin, J.: Analyzing the Intel Pentium’s Capability to Support a Secure Virtual Machine Monitor, Master’s Thesis. Naval Postgraduate School, Monterey, CA, 133 (1999)
Lagar-Cavilla, H.A.e., Tolia, N., Satyanarayanan, M., Lara, E.d.: VMM-Independent Graphics Acceleration. In: Proceedings of the Third International ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE 2007), San Diego, CA (2007)
Goldberg, I., Wagner, D., Thomas, R., Brewer, E.: A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker). In: Proceedings of the Sixth USENIX UNIX Security Symposium, San Jose, California (1996)
Dan, A., Mohindra, A., Ramaswami, R., Sitaram, D.: ChakraVyuha(CV): A Sandbox Operating System Environment for Controlled Execution of Alien Code. IBM T.J. Watson research center (1997)
Acharya, A., Raje, M.: Mapbox: Using Parameterized Behavior Classes to Confine Applications. In: Proceedings of the 9th USENIX Security Symposium (2000)
Scott, K., Davidson, J.: Safe Virtual Execution using Software Dynamic Translation. In: Computer Security Applications Conference, pp. 209–218 (2002)
Provos, N.: Improving Host Security with System Call Policies. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA (2003)
Chiueh, T.-c., Sankaran, H., Neogi, A.: Spout: A Transparent Distributed Execution Engine for Java Applets. In: Proceedings of the 20th International Conference on Distributed Computing Systems, vol. 394 (2000)
Malkhi, D., Reiter, M.K.: Secure Execution of Java Applets using A Remote Playground. IEEE Transactions on Software Engineering 26, 1197–1209 (2000)
Liang, Z., Venkatakrishnan, V.N., Sekar, R.: Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs. In: Omondi, A.R., Sedukhin, S. (eds.) ACSAC 2003. LNCS, vol. 2823, Springer, Heidelberg (2003)
Kernel brk() vulnerability, http://seclists.org/lists/bugtraq/2003/Dec/0064.html
Chen, P.M., Noble, B.D.: When Virtual is Better Than Real. In: 8th Workshop on Hot Topics in Operating Systems (2001)
Dike, J.: A User-mode Port of the Linux Kernel. In: Proceedings of the 4th Annual Linux Showcase & Conference, Atlanta, Georgia, USA (2000)
Whitaker, A., Shaw, M., Gribble, S.D.: Denali: A Scalable Isolation Kernel. In: Proceedings of the Tenth ACM SIGOPS European Workshop, Saint-Emilion, France (2002)
Whitaker, A., Shaw, M., Gribble, S.D.: Denali: Lightweight Virtual Machines for Distributed and Networked Applications. In: Proceedings of the 2002 USENIX Technical Conference (2002)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauery, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pp. 164–177. ACM Press, New York (2003)
Biemueller, S., Dannowski, U.: L4-Based Real Virtual Machines - An API Proposal. In: Proceedings of the MIKES 2007: First International Workshop on MicroKernels for Embedded Systems, Sydney, Australia, pp. 36–42 (2007)
Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: USENIX Association Technical Conference (2005)
Qumranet: KVM: Kernel-based Virtualization Driver (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wen, Y., Zhao, J., Wang, H. (2007). A Novel Approach for Untrusted Code Execution. In: Qing, S., Imai, H., Wang, G. (eds) Information and Communications Security. ICICS 2007. Lecture Notes in Computer Science, vol 4861. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77048-0_31
Download citation
DOI: https://doi.org/10.1007/978-3-540-77048-0_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77047-3
Online ISBN: 978-3-540-77048-0
eBook Packages: Computer ScienceComputer Science (R0)