Skip to main content
Conference ProceedingsOPEN ACCESS

Recursive sandboxes: Extending systrace to empower applications

IFIP Advances in Information and Communication Technology (2004) 147 473-487
DOI: 10.1007/1-4020-8143-x_31
7Citations
Citations of this article
3Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

The systrace system-call interposition mechanism has become a popular method for containing untrusted code through program-specific policies enforced by user-level daemons. We describe our extensions to systrace that allow sandboxed processes to further limit their children processes by issuing dynamically constructed policies. We discuss our extensions to the systrace daemon and the OpenBSD kernel, as well as a simple API for constructing simple policies. We present two separate implementations of our scheme, and compare their performance with the base systrace system. We show how our extensions can be used by processes such as ftpd, sendmail, and sshd. © 2004 by Springer Science+Business Media Dordrecht.

Author supplied keywords

Cite

CITATION STYLE

APA

Kurchuk, A., & Keromytis, A. D. (2004). Recursive sandboxes: Extending systrace to empower applications. In IFIP Advances in Information and Communication Technology (Vol. 147, pp. 473–487). Springer New York LLC. https://doi.org/10.1007/1-4020-8143-x_31

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free