Department of Computer
University of Virginia
People often want to run programs without allowing them total control over their system. Users should not have to worry about buggy or malicious programs disrupting other programs, corrupting files on their disk, or compromising their privacy.
Modern operating systems provide some support by protecting process address spaces and setting access permissions on resources, but are limited by how much information they have about the acceptable behavior for a specific application. For example, behavior that is normal for a network backup utility would be considered suspicious for a web applet. While a general-purpose operating system cannot be expected to know the limits on acceptable behavior for an arbitrary program, an application writer can. Even a naive end-user has a reasonable notion of what different types of programs should not be expected to do.
We can express limits on the acceptable behavior of a program as a safety policy, consisting of a collection of safety properties. This work proposes to enable end-users to impose general safety policies on the programs they intend to run. Naccio is a general architecture that provides code safety by transforming programs according to a specification of desired safety properties. It takes an arbitrary untrusted program, a specification of the desired safety policy, specifications of system resources and descriptions of how system calls interact with those resources, and produces a trusted program that satisfies the specified safety policy.
Examples of the class of safety properties Naccio supports include:
We are currently developing two implementations of Naccio. One works on JavaVM programs, the other of Win32/Alpha binaries.