Recursive Sandboxes: Extending Systrace To Empower Applications

14 years 27 days ago

Download nsl.cs.columbia.edu

The systrace system-call interposition mechanism has become a popular method for containing untrusted code through program-specific policies enforced by user-level daemons. We describe our extensions to systrace that allow sandboxed processes to further limit their children processes by issuing dynamically constructed policies. We discuss our extensions to the systrace daemon and the OpenBSD kernel, as well as a simple API for constructing simple policies. We present two separate implementations of our scheme, and compare their performance with the base systrace system. We show how our extensions can be used by processes such as ftpd, sendmail, and sshd.

Aleksey Kurchuk, Angelos D. Keromytis

Real-time Traffic

SEC 2004 | SEC 2007 | Systrace | Systrace Daemon | Systrace System-call Interposition |

claim paper

Post Info
More Details (n/a)

Added	31 Oct 2010
Updated	31 Oct 2010
Type	Conference
Year	2004
Where	SEC
Authors	Aleksey Kurchuk, Angelos D. Keromytis

Comments (0)

Sciweavers

Recursive Sandboxes: Extending Systrace To Empower Applications

SEC 2004 | SEC 2007 | Systrace | Systrace Daemon | Systrace System-call Interposition |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers