Design and Implementation of Sandbox Technique for Isolated Applications
In presence of known and unknown vulnerabilities in code and flow control of programs,virtual machine alike isolation to confine maliciousness of process is an effective strategy to contain the attack effects in isolated environment.But most of proposed isolation techniques does not offer execution sandbox.A process running in isolated environment with unrestricted access,without explicit mechanism for restriction on access for native system resources such as system call table,network and file system,can access unauthorized resources.In this paper,we propose a sandbox technique for applications running in Virtual Machine alike isolation.The proposed solution is a reference monitor that works without tampering with transitioning mechanism of process and does not require changes in program or kernel.We implemented prototype as executable shared library for dune that provides isolation to native Linux process.Reference monitor uses seccomp BPF filters,Linux Secure Module Apparmor and ptrace utility of native kernel to restrict access to system resources.Experimental results show that proposed technique provide security with acceptable overheads.
computer security apparmor seccomp filters Reference monitor isolation
Muhammad Shams Ul haq Lejian Liao Ma Lerong
School of Computer Science and Technology,Beijing Institute of technology Beijing,China
国际会议
重庆
英文
557-561
2016-03-20(万方平台首次上网日期,不代表论文的发表时间)