A Portable User-Level Approach for System-wide Integrity Protection

In this paper, we develop an approach for protecting system integrity from untrusted code/data that may harbor sophisticated malware. We develop a novel dual-sandboxing architecture to confine not only untrusted, but also benign processes. The untrusted sandbox places only a few restrictions, thereby permitting most untrusted applications to function normally. Our implementation is performed entirely at the user-level, requiring no changes to the kernel. This enabled us to port the system easily from Linux to BSD. Our experimental results show that our approach preserves the usability of most applications, while offering strong protection and good performance. Another important benefit of our approach is that policy development is largely automated, thus sparing users and administrators from this cumbersome and difficult task.

Author(s):

Wai Kit Sze    
Stony Brook University
United States

R. Sekar    
Stony Brook University
United States