Isolated program execution: an application transparent approach for executing untrusted programs
作者: Zhenkai Liang , V.N. Venkatakrishnan , R. Sekar
DOI: 10.1109/CSAC.2003.1254323
关键词:
摘要: We present a new approach for safe execution of untrusted programs by isolating their effects from the rest system. Isolation is achieved intercepting file operations made processes, and redirecting any change to "modification cache" that invisible other processes in File read performed process are also correspondingly modified, so has consistent view system state incorporates contents as well modification cache. On termination process, its user presented with concise summary files modified process. Additionally, can inspect these using various software utilities (e.g., helper applications multimedia files) determine if modifications acceptable. The then option commit modifications, or simply discard them. Essentially, our provides "play" "rewind" buttons running software. Key benefits it requires no changes (to be isolated) underlying operating system; cannot subverted malicious programs; achieves acceptable runtime overheads. describe prototype implementation this Linux called Alcatraz discuss performance effectiveness.
sci-hub.se 参考文章(19)
Eric A. Brewer, David Wagner, Ian Goldberg, Randi Thomas, A secure environment for untrusted helper applications confining the Wily Hacker usenix security symposium. pp. 1- 1 ,(1996)
David A. Patterson, Aaron B. Brown, Undo for operators: building an undoable e-mail store usenix annual technical conference. pp. 1- 1 ,(2003)
M. Raje, A. Acharya, MAPbox: Using Parameterized Behavior Classes to Confine Applications University of California at Santa Barbara. ,(1999)
Peng Liu, Sushil Jajodia, Catherine D. McCollum, Intrusion confinement by isolation in information systems Journal of Computer Security. ,vol. 8, pp. 243- 279 ,(2000) , 10.3233/JCS-2000-8402
Niels Provos, Improving host security with system call policies usenix security symposium. pp. 18- 18 ,(2003)
R. Sekar, P. Uppuluri, Synthesizing fast intrusion prevention/detection systems from high-level specifications usenix security symposium. pp. 6- 6 ,(1999)
R. Sekar, Premchand Uppuluri, Intrusion detection/prevention using behavior specifications State University of New York at Stony Brook. ,(2003)
Kazuhiko Kato, Yoshihiro Oyama, SoftwarePot: an encapsulated transferable file system for secure software circulation mext nsf jsps international conference on software security theories and systems. pp. 112- 132 ,(2002) , 10.1007/3-540-36532-X_8
S. Jajodia, Peng Liu, C.D. McCollum, Application-level isolation to cope with malicious database users annual computer security applications conference. pp. 73- 82 ,(1998) , 10.1109/CSAC.1998.738580
R. Sekar, K. Jain, User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. network and distributed system security symposium. ,(2000)