CapExec: Towards Transparently-Sandboxed Services (Extended Version)

09/26/2019
by   Mahya Soleimani Jadidi, et al.
0

Network services are among the riskiest programs executed by production systems. Such services execute large quantities of complex code and process data from arbitrary and untrusted network sources, often with high levels of system privilege. It is desirable to confine system services to a least-privileged environment so that the potential damage from a malicious attacker can be limited, but existing mechanisms for sandboxing services require invasive and system-specific code changes and are insufficient to confine broad classes of network services. Rather than sandboxing one service at a time, we propose that the best place to add sandboxing to network services is in the service manager that starts those services. As a first step towards this vision, we propose CapExec, a process supervisor that can execute a single service within a sandbox based on a service declaration file in which, required resources whose limited access to are supported by Caper services, are specified. Using the Capsicum compartmentalization framework and its Casper service framework, CapExec provides robust application sandboxing without requiring any modifications to the application itself. We believe that this is a first step towards ubiquitous sandboxing of network services without the costs of virtualization. Keywords: application security, sandboxing, service manager, Capsicum, compartmentalization

READ FULL TEXT

page 1

page 2

page 3

page 4

research
02/01/2021

Can You Accept LaTeX Files from Strangers? Ten Years Later

It is well-known that Microsoft Word/Excel compatible documents or PDF f...
research
10/23/2017

Directory Service Provided by DSCloud Platform

When there are huge volumes of information dispersing in the various mac...
research
06/12/2021

A public transit network optimization model for equitable access to social services

We present a flexible public transit network design model which optimize...
research
05/17/2021

On Using P2P Technology for Decentralized Detection of Service Level Agreement Violations

Critical networked services enable significant revenue for network opera...
research
01/24/2018

vLibOS: Babysitting OS Evolution with a Virtualized Library OS

Many applications have service requirements that are not easily met by e...
research
11/26/2022

The Role of In-House Procurement According to Finnish Municipalities' Purchase Invoice Data

Public sector is a large consumer of ICT systems and services, used for ...
research
11/25/2020

DeepTriage: Automated Transfer Assistance for Incidents in Cloud Services

As cloud services are growing and generating high revenues, the cost of ...

Please sign up or login with your details

Forgot password? Click here to reset