TY - GEN
T1 - Isolated program execution
T2 - 19th Annual Computer Security Applications Conference, ACSAC 2003
AU - Liang, Zhenkai
AU - Venkatakrishnan, V. N.
AU - Sekar, R.
N1 - Publisher Copyright:
© 2003 IEEE.
PY - 2003
Y1 - 2003
N2 - We present a new approach for safe execution of untrusted programs by isolating their effects from the rest of the system. Isolation is achieved by intercepting file operations made by untrusted processes, and redirecting any change operations to a "modification cache" that is invisible to other processes in the system. File read operations performed by the untrusted process are also correspondingly modified, so that the process has a consistent view of system state that incorporates the contents of the file system as well as the modification cache. On termination of the untrusted process, its user is presented with a concise summary of the files modified by the process. Additionally, the user can inspect these files using various software utilities (e.g., helper applications to view multimedia files) to determine if the modifications are acceptable. The user then has the option to commit these modifications, or simply discard them. Essentially, our approach provides "play" and "rewind" buttons for running untrusted software. Key benefits of our approach are that it requires no changes to the untrusted programs (to be isolated) or the underlying operating system; it cannot be subverted by malicious programs; and it achieves these benefits with acceptable runtime overheads. We describe a prototype implementation of this system for Linux called Alcatraz and discuss its performance and effectiveness.
AB - We present a new approach for safe execution of untrusted programs by isolating their effects from the rest of the system. Isolation is achieved by intercepting file operations made by untrusted processes, and redirecting any change operations to a "modification cache" that is invisible to other processes in the system. File read operations performed by the untrusted process are also correspondingly modified, so that the process has a consistent view of system state that incorporates the contents of the file system as well as the modification cache. On termination of the untrusted process, its user is presented with a concise summary of the files modified by the process. Additionally, the user can inspect these files using various software utilities (e.g., helper applications to view multimedia files) to determine if the modifications are acceptable. The user then has the option to commit these modifications, or simply discard them. Essentially, our approach provides "play" and "rewind" buttons for running untrusted software. Key benefits of our approach are that it requires no changes to the untrusted programs (to be isolated) or the underlying operating system; it cannot be subverted by malicious programs; and it achieves these benefits with acceptable runtime overheads. We describe a prototype implementation of this system for Linux called Alcatraz and discuss its performance and effectiveness.
UR - https://www.scopus.com/pages/publications/84944734361
U2 - 10.1109/CSAC.2003.1254323
DO - 10.1109/CSAC.2003.1254323
M3 - Conference contribution
AN - SCOPUS:84944734361
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 182
EP - 191
BT - Proceedings - 19th Annual Computer Security Applications Conference, ACSAC 2003
PB - IEEE Computer Society
Y2 - 8 December 2003 through 12 December 2003
ER -