Computer Security Applications Conference, Annual (2007)
Miami Beach, Florida, USA
Dec. 10, 2007 to Dec. 14, 2007
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.46
Jails, Sandboxes and other isolation mechanisms limit the damage from untrusted programs by reducing a pro- cess's privileges to the minimum. Sandboxing is designed to thwart such threats as (1) a program created by an attacker or (2) an input crafted to exploit a security vulnerability in a program. Examples of the later include input containing interpreted code or machine language to be injected via a buffer overflow. Traditionally, sandboxes are created by an invoking pro- cess. This is effective for (1) but only partially so for (2). For example, when a file is downloaded by a browser or processed as a mail attachment, the invoking process can sandbox it. However, sandboxing protections can be cir- cumvented when the file is copied outside the sandbox. The problem is that traditional sandboxes do not provide com- plete mediation. We introduce dynamic sandboxes, and show how even when data is saved and/or copied, sandboxing protections are not lost. In addition, and in contrast to traditional sand- box implementations, dynamic sandboxes are implemented using general purpose access controls. Not only does this provide a more flexible sandbox mechanism, and enable complete mediation, but these same primitives can be used to build other (non-sandbox) authorization policies.
Jon A. Solworth, Manigandan Radhakrishnan, "Quarantining Untrusted Entities: Dynamic Sandboxing Using LEAP", Computer Security Applications Conference, Annual, vol. 00, no. , pp. 211-220, 2007, doi:10.1109/ACSAC.2007.46