MAPbox: Using Parameterized Behavior Classes to Confine Applications

Designing a suitable mechanism to confine commonly used applications is challenging as such a mechanism needs to satisfy conflicting requirements. The trade-off is between configurability and ease of use. In this paper, we present the design, implementation and evaluation of MAPbox, a general-purpose confinement mechanism that retains the ease of use of specialized sandboxes such as Janus and SBOX while providing significantly more configurability. The key idea is to group application behaviors into classes based on the expected functionality and the resources required to achieve that functionality. Classification of behaviors provides a set of behavior labels (class names) that can be used to concisely communicate the expected functionality of programs between the provider and the users. This is similar to the MIME-types used to concisely describe the expected format of data files. Classification of application behaviors also allows class-specific sandboxes to be built and instantiated for each behavior class. We present a study of the behavior and resource requirements of a set of commonly used applications and use the results of this study to define a set of application behavior classes. We also evaluate how effective this technique is in confining a variety of commonly used applications and how much overhead it introduces.