FlexBox: Sandboxing Internet servers based on layer-7 contexts

Ayumu Tanoue, Makoto Shimamura, Miyuki Hanaoka, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Internet servers are constantly exposed to malicious attacks launched remotely. Sandbox is a promising approach to reducing the damage caused by malicious attacks. A sandbox system provides a restricted environment for executing programs/codes from an Internet server, in which the accessible resources are limited to those required for legal execution. However, traditional sandbox systems are not suitable for preventing sensitive files, legally accessed by Internet servers, from being leaked or tampered. A sandbox system must permit access to sensitive files if the sandboxed server requires access to them. This paper presents FlexBox, a novel sandbox system that reduces the possibility of leaking or tampering with sensitive files accessed by Internet servers. The key observation is that Internet servers typically have several execution states, each of which requires different access rights to resources such as files, especially sensitive files that are usually accessed only in a few execution states. Therefore, if FlexBox dynamically changes a set of accessible files according to servers' execution states, it is expected to dramatically reduce the possibility of information leakage/tampering. To obtain the execution states of Internet servers, FlexBox exploits the layer-7 contexts of Internet servers, i.e., it monitors the network messages exchanged between the server and clients. We demonstrate that FlexBox can be applied to several real Internet servers and the overhead from FlexBox is reasonably low.

Original languageEnglish
Title of host publicationIEEE Symposium on Computers and Communications 2008, ISCC 2008
Pages386-391
Number of pages6
DOIs
Publication statusPublished - 2008 Nov 17
Event13th IEEE Symposium on Computers and Communications, ISCC 2008 - Marrakech, Morocco
Duration: 2008 Jul 62008 Jul 9

Publication series

NameProceedings - IEEE Symposium on Computers and Communications
ISSN (Print)1530-1346

Other

Other13th IEEE Symposium on Computers and Communications, ISCC 2008
CountryMorocco
CityMarrakech
Period08/7/608/7/9

    Fingerprint

ASJC Scopus subject areas

  • Software
  • Signal Processing
  • Mathematics(all)
  • Computer Science Applications
  • Computer Networks and Communications

Cite this

Tanoue, A., Shimamura, M., Hanaoka, M., & Kono, K. (2008). FlexBox: Sandboxing Internet servers based on layer-7 contexts. In IEEE Symposium on Computers and Communications 2008, ISCC 2008 (pp. 386-391). [4625645] (Proceedings - IEEE Symposium on Computers and Communications). https://doi.org/10.1109/ISCC.2008.4625645