Abstract - Security Symposium - 2000
MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications
Anurag Acharya and Mandar Raje, University of California, Santa Barbara
Designing a suitable confinement mechanism to confine untrusted applications is challenging as such a mechanism needs to satisfy conflicting requirements. The main trade-off is between ease of use and flexibiilty. In this paper, we present the design, implementation and evaluation of MAPbox, a confinement mechanism that retains the ease of use of application-class-specific sandboxes such as the Java applet sandbox and the Janus document viewer sandbox while providing significantly more flexibility. The key idea is to group application behaviors into classes based on their expected functionality and the resources required to achieve that functionality. Classification of application behavior provides a set of labels (e.g., compiler, reader, netclient) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar to MIME-types which are widely used to concisely describe the expected format of data files. An end-user lists the set of application behaviors she is willing to allow in a file. With each label, she associates a sandbox that limits access to the set of recources needed to achieve the corresponding behavior. When an untrusted applicaiton is to be run this file is consulted. If the label (or the MAP-type) associated with the application is not found in this file, it is not allowed to run. Else, the MAP-type is used to automatcially locate and instantiate the appropriate sandbox. We believe that this may be an acceptable level of user interaction since a similar technique (i.e., MIME-types) has been fairly successful for handling documents with different formats. In this paper, we present a set of application behavior classes that we have identified based on a study of a diverse suite of applications that includes CGI scripts, programs, downloaded form well-known web repositories and applications from the Solaris 5.6 distribution. We describe the implementation and usage of MAPbox. We evaluate MAPbox from two different perspectives: its effectiveness (how well it is able to confine a suite of untrusted applications) and efficiency (what is the overhead introduced). Finally, we describe our experience with MAPbox and discuss potential limitations of this approach.