Naccio Department of Computer Science
University of Virginia

Research Summary

People often want to run programs without allowing them total control over their system. Users should not have to worry about buggy or malicious programs disrupting other programs, corrupting files on their disk, or compromising their privacy.

Modern operating systems provide some support by protecting process address spaces and setting access permissions on resources, but are limited by how much information they have about the acceptable behavior for a specific application. For example, behavior that is normal for a network backup utility would be considered suspicious for a web applet. While a general-purpose operating system cannot be expected to know the limits on acceptable behavior for an arbitrary program, an application writer can. Even a naive end-user has a reasonable notion of what different types of programs should not be expected to do.

We can express limits on the acceptable behavior of a program as a safety policy, consisting of a collection of safety properties. This work proposes to enable end-users to impose general safety policies on the programs they intend to run. Naccio is a general architecture that provides code safety by transforming programs according to a specification of desired safety properties. It takes an arbitrary untrusted program, a specification of the desired safety policy, specifications of system resources and descriptions of how system calls interact with those resources, and produces a trusted program that satisfies the specified safety policy.

Examples of the class of safety properties Naccio supports include:

  • Restricting what files or directories may be read and written
  • Requiring that any temporary files created by the program are removed before execution terminates
  • Placing a limit on the total amount of disk space that may be used by files created by the program
  • Prohibiting the application from communicating with certain IP addresses
  • Prohibiting the application from communicating with other hosts after sensitive files have been read
  • Limiting the fraction of available network bandwidth the application may consume during any five-second period.

We are currently developing two implementations of Naccio. One works on JavaVM programs, the other of Win32/Alpha binaries.

Safety Policies

Describing Resources
Expressing Safety Policies
Platform Interfaces
Generating Policies
Transforming Applications

Naccio Home Page
David Evans
University of Virginia, Computer Science