Reference:
In Proceedings of the Internet Society's 2004 Symposium on Network and Distributed System Security.
Abstract:
Application sandboxes provide restricted execution environments that
limit an application's access to sensitive OS resources. These
systems are an increasingly popular method for limiting the impact
of a compromise. While a variety of mechanisms for building these
systems have been proposed, the most thoroughly implemented and
studied are based on system call interposition. Current
interposition-based architectures offer a wide variety of properties
that make them an attractive approach for building sandboxing
systems. Unfortunately, these architectures also possess several
critical properties that make their implementation error prone
and limit their functionality.
We present a study of Ostia, a sandboxing system we have developed
that relies on a ``delegating'' architecture which overcomes many
of the limitations of today's sandboxing systems. We compare this
delegating architecture to the ``filtering'' architecture commonly
used for sandboxes today. We present the salient features of each
architecture and examine the design choices that significantly
impact security, compatibility, flexibility, deployability, and
performance in this class of system.
Full paper: [ps] [pdf] [Bibtex Entry]