Design and Implementation of Sandbox Technique for Isolated Applications

In presence of known and unknown vulnerabilities in code and flow control of programs, virtual machine alike isolation to confine maliciousness of process is an effective strategy to contain the attack effects in isolated environment. But most of proposed isolation techniques does not offer execution sandbox. A process running in isolated environment with unrestricted access, without explicit mechanism for restriction on access for native system resources such as system call table, network and file system, can access unauthorized resources. In this paper, we propose a sandbox technique for applications running in Virtual Machine alike isolation. The proposed solution is a reference monitor that works without tampering with transitioning mechanism of process and does not require changes in program or kernel. We implemented prototype as executable shared library for dune that provides isolation to native Linux process. Reference monitor uses seccomp BPF filters, Linux Secure Module Apparmor and ptrace utility of native kernel to restrict access to system resources. Experimental results show that proposed technique provide security with acceptable overheads.