Flexible and Efficient Sandboxing Based on Fine-Grained Protection Domains

  • Takahiro Shinagawa
  • Kenji Kono
  • Takashi Masuda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2609)


Sandboxing is one of the most promising technologies for safely executing potentially malicious applications, and it is becoming an indispensable functionality of modern computer systems. Nevertheless, traditional operating systems provide no special support for sandboxing; a sandbox system is either built in the user level, or directly encoded in the kernel level. In the user-level implementation, sandbox systems are implemented by using support for debuggers, and the resulting systems are unacceptably slow. In the kernel-level implementation, users are obliged to use a specific sandbox system. However, users should be able to choose an appropriate sandbox system depending on target applications, because sandbox systems are usually designed for specific classes of applications. This paper presents a generic framework on top of which various sandbox systems can be implemented easily and efficiently. The presented framework has three advantages. First, users can selectively use the appropriate sandbox systems depending on the target applications. Second, the resulting sandbox systems are efficient enough and the performance is comparable to that of kernel-implemented sandbox systems. Finally, a wide range of sandbox systems can be implemented in the user level, thereby facilitating the introduction of new sandboxing systems in the user level. The presented framework is based on the mechanism of fine-grained protection domains that have been previously proposed by the authors.


Security Policy System Call Context Switch Policy Domain Memory Page 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 3.
    Massimo Bernaschi, Emanuele Gabrielli, and LuigiV. Mancini. Remus:A security-enhanced operating system. ACMTransactions on Information and System Security (TISSEC), 5(1):36–61, 2002.CrossRefGoogle Scholar
  2. 4.
    Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor. SubDomain: Parsimonious server security. In Proc. of the 14th Systems Administration Conference, pages 355–367, December 2000.Google Scholar
  3. 5.
    Poul-Henning Kamp and Robert N. M. Watson. Jails: Confining the omnipotent root. In Proc. of the2nd International System Administration and Networking Conference (SANE), 2000.Google Scholar
  4. 6.
    Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, and Sheila A. Haghighat. A domain and type enforcement UNIX prototype. In Proc. of the 5th USENIX UNIX Security Symposium, June 1995.Google Scholar
  5. 7.
    Andrew Berman, Virgil Bourassa, and Erik Selberg. TRON: Process-specific file protection for the UNIX operating system. In Proc. of the USENIX Winter 1995 Technical Conference, pages 165–175, January 1995.Google Scholar
  6. 8.
    Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure enviroment for untrusted helper applications. In Proc. of the 6th USENIX Security Symposium, July 1996.Google Scholar
  7. 9.
    Anurag Acharya and Mandar Raje. MAPbox: Using parameterized behavior classes to confine untrusted applications. In Proc. of the 9th USENIX Security Symposium, August 2000.Google Scholar
  8. 10.
    Lincoln D. Stein. SBOX: Put CGI scripts in a box. In Proc. of the 1999 USENIX Annual Technical Conference, June 1999.Google Scholar
  9. 11.
    Albert Alexandrov, Paul Kmiec, and Klaus Schauser. Consh: Confined execution environment for internet computations. Available at berto/papers/99-usenixconsh. ps, 1998.
  10. 12.
    K. Jain and R. Sekar. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In Proc. of the ISOC Network and Distributed Security Symposium (NSDD’ 00), pages 19–34, 2000.Google Scholar
  11. 13.
    Masahiko Takahashi, Kenji Kono, and Takashi Masuda. Efficient kernel support of finegrained protection domains for mobile code. In Proc. of the 19th IEEE International Conference on Distributed Computing Systems (ICDCS’ 99), pages 64–73, May 1999.Google Scholar
  12. 14.
    Takahiro Shinagawa, Kenji Kono, and Takashi Masuda. Exploiting segmentation mechanism for protecting against malicious mobile code. Technical Report 00-02, Department of Information Science, Faculty of Science, University of Tokyo, May 2000. An extended version of [15].Google Scholar
  13. 15.
    Takahiro Shinagawa, Kenji Kono, Masahiko Takahashi, and Takashi Masuda. Kernel support of fine-grained protection domains for extention components. Journal of Information Processing Society of Japan, 40(6):2596–2606, June 1999. in japanese.Google Scholar
  14. 16.
    David S. Peterson, Matt Bishop, and Raju Pandey. A flexible containment mechanism for executing untrusted code. In Proc. of the 11th USENIX Security Symposium, pages 207–225, August 2002.Google Scholar
  15. 18.
    Menlo Park and SPARC International. The SPARC Architecture Manual Version 8. Prentice Hall, 1992. ISBN 0-13-825001-4.Google Scholar
  16. 19.
    Richard L. Sites and Richard T. Witek. Alpha AXP Architecture Reference Manual. Digital Press, 1995. ISBN 1-55558-145-5.Google Scholar
  17. 20.
    Kenneth M. Walker, Daniel F. Sterne, M. Lee Badger, Michael J. Petkac, David L. Shermann, and Karen A. Oostendorp. Confining root programs with domain and type enforcement (DTE). In Proc. of the 6th USENIX Security Symposium, July 1996.Google Scholar
  18. 21.
    Timothy Fraser, Lee Badger, and Mark Feldman. Hardening COTS software with generic software wrappers. In Proc. of the IEEE Symposium on Security and Privacy, pages 2–16, 1999.Google Scholar
  19. 22.
    Terrence Mitchem, Raymond Lu, and Richard O'Brien. Using kernel hypervisors to secure applications. In Proc. of the 13th Annual Computer Security Applications Conference (ACSAC’ 97), pages 175–182, December 1997.Google Scholar
  20. 23.
    Chris Wright, Crispin Cowan, James Morris, Stephen Smalley, and Greg Kroah-Hartman. Linux security modules: General security support for the linux kernel. In Proc. of the 11th USENIX Security Symposium, August 2002.Google Scholar
  21. 24.
    Java Team, James Gosling, Bill Joy, and Guy Steele. The Java[tm] Language Specification. AddisonWesley Longman, 1996. ISBN 0-201-6345-1.Google Scholar
  22. 25.
    Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient softwarebased fault isolation. In Proc. of the 14th ACM Symposium on Operating Systems Principles (SOSP’ 93), pages 203–216, December 1993.Google Scholar
  23. 26.
    George C. Necula and Peter Lee. Safe kernel extensions without runtime checking. In Proc. of the 2nd Symposium on Operating Systems Design and Implementation (OSDI’ 96), pages 229–243, October 1996.Google Scholar
  24. 27.
    Tzi-cker Chiueh, Ganesh Venkitachalam, and Prashant Pradhan. Integrating segmentation and paging protection for safe, efficient and transparent software extensions. In Proc. of the 17th ACM Symposium on Operating Systems Principles (SOSP’ 99), pages 140–153, December 1999.Google Scholar
  25. 28.
    Arindam Banerji, John Michael Tracey, and David L. Cohn. Protected Shared Libraries-A New Approach to Modularity and Sharing. In Proc. of the 1997 USENIX Annual Technical Conference, pages 59–75, October 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Takahiro Shinagawa
    • 1
  • Kenji Kono
    • 2
    • 3
  • Takashi Masuda
    • 2
  1. 1.Department of Information Science, Graduate School of ScienceUniversity of TokyoJapan
  2. 2.Department of Computer ScienceUniversity of Electro-CommunicationsJapan
  3. 3.Japan Science and Technology CorporationPRESTOJapan

Personalised recommendations