CS262A Reading Summary 26

A Secure Environment for Untrusted Helper Applications

I. Goldberg et al.
Summary by Feng Zhou
11/5/2002

1. "Sandboxing" is proposed as a general mechanisms to execute untrusted helper applications of Internet browsers. The problem itself is important because the wide-spread use of helper applications and a lot of them may contain security related defects. The secure environment, or sandbox, is implemented in userlevel, i.e. in a "wrapper" like way. It achieves protection by restricting the use of certain systems calls of helper applications.
2. A prototype, Janus, is implemented on Solaris. It uses the /proc tracing utility to trace the helper application and block unallowed system calls. It uses a policy-based modular design. Detailed policies can be specified for one or one set of helper applications. This makes Janus an adaptive and easy-to-use tool to enhance the security of helper applications.
3. Performance optimizations are done to reduce the overhead incured by Janus. The most important technique is ignoring system calls that are always allowed. These system calls are not intercepted at all, saving the large overhead of context switching.

1 flaw:

As the authors admit, the prototype implementation is highly system dependent. More fundamentally, the applicability/implementation of the general mechanism on a specific OS depends on the OS itself a lot. On some OSes, it simply cannot be implemented. Thus its potential application is limited.