research-article

A Survey on Application Sandboxing Techniques

Authors:

Samuel Laurén,

Ville LeppänenAuthors Info & Claims

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies

Pages 141 - 148

https://doi.org/10.1145/3134302.3134312

Published: 23 June 2017 Publication History

Abstract

The principle of least privilege states that components in a system should only be allowed to perform actions that are required for them to function. The wish to limit what programs can access has given rise to a set of application-level sandboxing solutions. In this paper, we survey recent research on application-level sandboxing. We discuss the properties of the major implementations and highlight the key differences between them. In addition, we show how recent features in mainline Linux kernel have altered the sandboxing landscape.

References

[1]

Faisal Al Ameiri and Khaled Salah. "Evaluation of popular application sandboxing". In: Internet Technology and Secured Transactions (ICITST), 2011 International Conference for. IEEE. 2011, pp. 358--362.

[2]

Albert Alexandrov, Paul Kmiec, and Klaus Schauser. Consh: A confined execution environment for internet computations. 1998.

[3]

Flatpak - the future of application distribution. URL: http://flatpak.org.

[4]

T Garfinkel and D Wagner. Janus: A practical tool for application sandboxing.

[5]

Tal Garfinkel et al. "Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools." In: NDSS. Vol. 3. 2003, pp. 163--176.

[6]

Tal Garfinkel, Ben Pfaff, Mendel Rosenblum, et al. "Ostia: A Delegating Architecture for Secure System Call Interposition." In: NDSS. 2004.

[7]

Ian Goldberg et al. "A secure environment for untrusted helper applications: Confining the wily hacker". In: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography. Vol. 6. 1996.

Digital Library

[8]

google/nsjail: A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters. URL: https://github.com/google/nsjail.

[9]

Taesoo Kim and Nickolai Zeldovich. "Practical and Effective Sandboxing for Non-root Users." In: USENIX Annual Technical Conference. 2013, pp. 139--144.

Digital Library

[10]

Yanlin Li et al. "MiniBox: A Two-Way Sandbox for x86 Native Code." In: USENIX Annual Technical Conference. 2014, pp. 409--420.

Digital Library

[11]

Jonathan M McCune et al. "TrustVisor: Efficient TCB reduction and attestation". In: Security and Privacy (SP), 2010 IEEE Symposium on. IEEE. 2010, pp. 143--158.

Digital Library

[12]

netblue30/firejail: Linux namespaces and seccomp-bpf sandbox. URL: https://github.com/netblue30/firejail.

[13]

Niels Provos. "Improving Host Security with System Call Policies." In: Usenix Security Vol. 3. 2003.

Digital Library

[14]

Inge Alexander Raknes, Bjørn Fjukstad, and Lars Ailo Bongo. "nsroot: Minimalist Process Isolation Tool Implemented With Linux Namespaces". In: (2016).

[15]

Security Extension Specification. URL: https://www.x.org/releases/X11R7.6/doc/xextproto/security.html.

[16]

Rui Shu et al. "A Study of Security Isolation Techniques". In: ACM Computing Surveys (CSUR) 49.3 (2016).

Digital Library

[17]

David A Wagner. "Janus: an approach for confinement of untrusted applications". PhD thesis. Department of Electrical Engineering and Computer Sciences, University of California at Berkeley, 1999.

Digital Library

[18]

Xnest(1) manual page. URL: https://www.x.org/archive/X11R7.5/doc/man/man1/Xnest.1.html.

[19]

X.Org. URL: https://wwwx.org.

[20]

Bennet Yee et al. "Native client: A sandbox for portable, untrusted x86 native code". In: Security and Privacy, 2009 30th IEEE Symposium on. IEEE. 2009, pp. 79--93.

Digital Library

Cited By

Niemi A(2024)Survey of Real-World Process Sandboxing2024 35th Conference of Open Innovations Association (FRUCT)10.23919/FRUCT61870.2024.10516417(520-531)Online publication date: 24-Apr-2024
https://doi.org/10.23919/FRUCT61870.2024.10516417
Anantharaman PLathrop RShapiro RLocasto M(2023)PolyDoc: Surveying PDF Files from the PolySwarm network2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00017(117-134)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00017
Dunlap TEnck WReaves BDietrich SChowdhury OTakabi D(2022)A Study of Application Sandbox Policies in LinuxProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535016(19-30)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535016
Show More Cited By

Recommendations

Sandboxing and Virtualization: Modern Tools for Combating Malware

It's more likely that you will infect yourself with malware via your browser or a PDF document than any other way, including hackers trying to break onto your network. Underground economies in spam, adware, identity theft and banking fraud are driving ...
Multi-level sandboxing techniques for execution-based stealthy malware detection
Control of system calls from outside of virtual machines
SAC '08: Proceedings of the 2008 ACM symposium on Applied computing

A virtual machine monitor (VMM) can isolate virtual machines (VMs) for trusted programs from VMs for untrusted ones. The security of VMs for untrusted programs can be enhanced by monitoring and controlling the behavior of the VMs with security systems ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies

June 2017

358 pages

ISBN:9781450352345

DOI:10.1145/3134302

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

UORB: University of Ruse, Bulgaria
TECHUVB: Technical University of Varna, Bulgaria

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Tekes - the Finnish Funding Agency

Conference

CompSysTech'17

CompSysTech'17: 18th International Conference on Computer Systems and Technologies

June 23 - 24, 2017

Ruse, Bulgaria

Acceptance Rates

CompSysTech '17 Paper Acceptance Rate 42 of 107 submissions, 39%;

Overall Acceptance Rate 241 of 492 submissions, 49%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
404
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)6

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Niemi A(2024)Survey of Real-World Process Sandboxing2024 35th Conference of Open Innovations Association (FRUCT)10.23919/FRUCT61870.2024.10516417(520-531)Online publication date: 24-Apr-2024
https://doi.org/10.23919/FRUCT61870.2024.10516417
Anantharaman PLathrop RShapiro RLocasto M(2023)PolyDoc: Surveying PDF Files from the PolySwarm network2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00017(117-134)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00017
Dunlap TEnck WReaves BDietrich SChowdhury OTakabi D(2022)A Study of Application Sandbox Policies in LinuxProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535016(19-30)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535016
Pailoor SWang XShacham HDillig I(2020)Automated policy synthesis for system call sandboxingProceedings of the ACM on Programming Languages10.1145/34282034:OOPSLA(1-26)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428203
Malenko MBaunach M(2019)Device Driver and System Call Isolation in Embedded Devices2019 22nd Euromicro Conference on Digital System Design (DSD)10.1109/DSD.2019.00049(283-290)Online publication date: Aug-2019
https://doi.org/10.1109/DSD.2019.00049
Laurén SLeppänen V(2018)Virtual Machine Introspection based Cloud Monitoring PlatformProceedings of the 19th International Conference on Computer Systems and Technologies10.1145/3274005.3274030(104-109)Online publication date: 13-Sep-2018
https://dl.acm.org/doi/10.1145/3274005.3274030

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten