Protection wrappers: a simple and portable sandbox for untrusted applications

Abstract

In open and configurable applications, external programs are often used to handle different functions and data formats. This is particularly true for applications that communicate through the Internet, where new protocols and data formats are frequently introduced. These external programs are often installed quickly and without a full security auditing, even when the sources are available. This makes the users of such applications vulnerable to viruses and Trojan horses introduced by misconfiguration or flaws in the security of these applications. In this paper we introduce a mechanism called "protection wrappers" that allows an application to run external programs in a restricted environment called a "sandbox". Programs running in a sandbox will execute with the identity of a user with limited privileges. This reduces the potential damage to the system and to the data of the user who originally launched the application. 1 I n t r o d u c t i o n The dramatic growth of the Internet and the popularity of the World Wide Web have given birth to a new network community where individual users, academic and industrial institutions, in all countries, are exchanging data and software freely across the network. The Internet was previously used to exchange software and data among a small community of researchers who knew and trusted each other just like computer hobbyists have exchanged software on diskettes with friends, neighbors, and colleagues but today people connected to the Internet are receiving data and using software from various unknown sources, e.g. installing and using a new video player found on a Web server. In principle both programs and data should be carefully verified before being used, the program by the administrator who installs it and the data by the program *Universitfi Joseph Fourier, Grenoble tINRIA Rh6ne-Alpes that manipulates them. However, in many cases software or data are used without prior verification and without authentication of the source. Internet communication softwares like web browsers or mail readers are increasingly relying on external programs to display images or postscript files, play music or video dips, convert MIME encoded mail, or simply allow users to specify external pagers and editors. These programs are potential Trojan horses for two reasons: first because they may have been written by malicious programmers and secondly because they rarely implement a protection policy that allow them to verify data before operating on them. Most of these external programs are developed to be used in safe environments where data are generally trusted. Two good examples of this are Ghostscript (gs(1)) that allows users to preview their PostScript documents and MS-Word that can be used to prepare reports and write documentation for programs. However, PostScript is a full programming language, that for instance allows programs to access files in the file system, and MS-Word has the ability to create or update macros, based on the definitions found in a document. When these programs are used in the potentially hostile environment of the Internet, where the PostScript document retrieved from a Web-server or the Word document attached to an email may have been carefully prepared by an adversary, these programs can act as Trojan horses that corrupt the users files or helps potential intruders to breach the site security. It is therefore crucial to provide a protection service that prevents the use of these programs from damaging the machine, and the environment of the user who runs the programs. In this paper, we propose a portable mechanism that isolates programs within a sandbox with restricted privileges. This mechanism works by wrapping the application in a front end program (the wrapper) that implements the needto-know principle, without modifying the application itself. A program isolated in a sandbox can initially have few well-defined access rights. Additional rights are then