We are currently investigating how to emulate Windows NT on top of Windows NT, or, in other words, how to sandbox Windows NT applications and application components (e.g., Active-X components) within Windows NT. The goal is to be able to express guarantees about applications and application components that are not provided by the native Windows NT environment. An obvious example are Active-X controls which currently are not safe to execute (e.g., an Active-X control can read and write arbitrary memory locations of the enclosing application). However, memory safety is only one such guarantee. A more interesting and challenging class of guarantees are security guarantees in the sense of mandatory access control. To provide such guarantees, an application's access to the Win32 API must be carefully controlled, and it must be possible to interpose on system calls.

The specific goals of this research are to provide an emulation mechanism that can execute arbitrary Windows NT applications or application components, is transparent to existing applications, but allows for the expression of safety and security guarantees which can not be circumvented. We expect to explore the range of binary rewriting (software fault isolation) to architectural emulation (of the CPU) for the basic executable, and to use system call interposition to control Win32 API calls while at the same time maintaining reasonable performance.