Sandboxing Mobile Code Execution Environments
Funded by: Defense Advanced Research Projects Agency
Project Statement
Mobile code is quickly becoming the dominant computing paradigm in today's Internet-enabled environments. Any Internet-enabled environment, including civilian and military defense, business, and academic, is susceptible to threats posed by mobile code. Today, organizations have little protection against malicious mobile code. The most common approach is simply to trust that mobile code will not damage your system, either implicitly by running mobile code or explicitly by accepting signed mobile code. With the exception of the Java Virtual Machine sandbox for constraining unsigned Java applets, there exists no technical solution to protecting host systems against malicious mobile code. In particular, today's computer systems are vulnerable to misbehaving active scripts such as JavaScript, Jscript, VBscripts, and proprietary scripting languages.
Mobile code is not fundamentally different from any other program executable that runs natively on machines today. What makes mobile code incredibly powerful as well as dangerous is that mobile code can be written by anyone, be distributed seamlessly over the Internet, and can often execute on any platform independent of the operating system or chip architecture. What makes mobile code pervasive is the ubiquitous Internet browser. The browser provides interpreters for mobile code of all types. Today's browser software integrates mailers and Web browsers—both fully capable of executing mobile content present in Web pages and email. What makes mobile code particularly dangerous is that it executes with the privilege of the user—giving the program the capability to access personal files, system resources, and the network. Once mobile code has seized control of the machine, it can destroy data, monitor Web usage, send files back over network connections, and open trap doors into the system.
In this project, we are designing a sandboxing environment for mobile code hosts that will effectively constrain the behavior of active scripts that execute within Internet-enabled software, such as Internet browsers, mailers, and agent hosts. The sandbox will prevent mobile code from corrupting the mobile code host (such as the browser) and the host system while allowing the mobile code host to perform the myriad activities it must such as writing to the file system and network resources.
The innovation of this approach over current approaches is two-fold. First, it can prevent future unknown malicious mobile code from compromising machines. Second, because the approach protects the browser from misbehaving mobile code, the user can continue to use the browser's broad range of functions without fear of compromising system integrity. Other approaches either scan for the presence of known malicious code and prevent their execution (thus not providing protection against future unknown attacks), or need to cripple the browser in a way that makes it useless for the typical end user. Given the complexity of today's browsers, the pervasiveness of active scripting, the growing threat of active scripting in compromising browser and system integrity, the approach being developed under this project provides a viable solution to executing untrusted mobile code.
Contact
Matthew Schmid, Principal Investigator