As software and its supply chains grow more complex, sandboxing will continue to grow in importance. A sandbox is a security layer that is applied to a subset of a software system to impose a security policy, thus reducing the problem of verifying the security of the subset to that of verifying the sandbox. While sandboxes are often smaller and easier to verify than the system subsets they encapsulate, they are not always easy to apply effectively.
Given a complex system of the type that motivates sandboxing (e.g. a browser), how does an architect select a subset to sandbox? How does she pick an appropriate sandbox for her purpose and apply it correctly? To answer these questions I propose: (1) a qualitative investigation of the sandboxing landscape aimed at understanding the techniques used to encapsulate computations and the classes of vulnerabilities and potential malice mitigated by each technique, (2) an analysis framework that uses static and dynamic analysis techniques to prioritize untrusted system components and suggest sandboxing techniques that may be applied to them, and (3) a tool-assisted approach for applying a subset of the techniques suggested by the previous contribution to their target subsets, thus ensuring they are imposed correctly.
Jonathan Aldrich (Co-Chair)
William Scherlis (Co-Chair)
Lujo Bauer (CyLab and ECE)
Bruno Amizin (The Boeing Company
cherold [atsymbol] cs.cmu.edu