Secure execution environment for untrusted programs using debugger technology
Publication Date: 2002-Aug-09
The IP.com Prior Art Database
Wayne Gramlich: INVENTOR [+2]
A "wrapper" can be built that allows the running of untrusted code with a single command: the wrapper starts and configures the debugger to build the padded cell, then tells the debugger to execute the code inside the cell. This wrapper can be invoked automatically by programs, such as mail readers and web browsers, that frequently run untrusted code.
The padded cell may provide various levels of permission to the untrusted code, including: no access to the file system; read-only access; read and delete; read, write, and delete. These decisions can be made for any part of the file system individually, by file, directory, or directory tree, since the debugger can see the name of any file the code tries to access.
An untrusted program may try to access the windowing system and draw on the screen. In Unix, this is done via the X Window protocol, which is accessed through a TCP/IP stream (even on local displays). X presents a security risk both from misleading displays (such as fake password dialogs) and because X servers are complex and tend to run in privileged mode. Attempts to open an X connection can be prevented entirely by trapping the connect system call. If limited X functionality is desired, the communication over the connection can be piped through an X protocol proxy, such as xfwp to restrict traffic or Xnest to restrict screen access. mmap system calls, sometimes used for faster direct frame buffer access, can be disabled. Security of X systems is beyond the scope of this disclosure, but is not a new problem and much prior art exists elsewhere.
In order to avoid some of the security problems associated with terminal emulators (e.g. vulnerability to CURSES), the padded cell software can restrict the terminal emulator to be one of the safe ones.
If a program tries to do something unexpected, the wrapper/debugger may ask the user whether to allow it, or simply disallow it automatically....