Behavior-based Confinement of Untrusted Applications

In my thesis, I propose a class-specific sandboxing mechanism to confineuntrusted applications. The key idea is to identify different applicationclasses like editor, browser, mail client, shell, filter, server etc and toconfine applications belonging to each class in a sandbox that is tailored tothe expected behavior/requirements of the class. For example, the sandbox for aMIME-mail client could be restricted to allow it to spawn only a set of helperapplications explicitly listed in the mailcap file; the sandbox for an editorcould be restricted to disallow network accesses and process creation. Such amechanism retains the ease-of-use of sandboxes while significantly increasingtheir flexibility. End-users do not need to maintain complex access controllists or interact frequently with the security subsystem; nor do they need todepend solely on a digital signature. They can configure their systems byspecifying the set of classes they would like to allow.To evaluate the feasibility of my proposal, I have: (1) defined a set ofapplication classes and have populated them based on a study of system-calltraces of commonly used applications; (2) implemented a infrastructure thatuses the /proc-interface to confine native binaries; (3) developedconfiguration files for the different application classes that I haveencountered; (4) have integrated this infrastructure with an X proxy thatconfines untrusted X applications to windows and other X resources that itcreates (and a small number of global attributes); (5) evaluated the overheadintroduced by this mechanism.