Data Sandboxing: A Technique for Enforcing Confidentiality Policies

Miami Beach, Florida, USA December 11-December 15

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/ACSAC.2006.22

22nd Annual Computer Security Applica ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Tejas Khatiwala Articles by Raj Swaminathan Articles by V.N. Venkatakrishnan

	ASCII Text	x
	Tejas Khatiwala, Raj Swaminathan, V.N. Venkatakrishnan, "Data Sandboxing: A Technique for Enforcing Confidentiality Policies," Computer Security Applications Conference, Annual, pp. 223-234, 22nd Annual Computer Security Applications Conference (ACSAC'06), 2006.

	BibTex	x
	@article{ 10.1109/ACSAC.2006.22, author = {Tejas Khatiwala and Raj Swaminathan and V.N. Venkatakrishnan}, title = {Data Sandboxing: A Technique for Enforcing Confidentiality Policies}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2006}, issn = {1063-9527}, pages = {223-234}, doi = {http://doi.ieeecomputersociety.org/10.1109/ACSAC.2006.22}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Data Sandboxing: A Technique for Enforcing Confidentiality Policies SN - 1063-9527 SP223 EP234 A1 - Tejas Khatiwala, A1 - Raj Swaminathan, A1 - V.N. Venkatakrishnan, PY - 2006 KW - null VL - 0 JA - Computer Security Applications Conference, Annual ER -

Tejas Khatiwala, University of Illinois, Chicago, USA

Raj Swaminathan, University of Illinois, Chicago, USA

V.N. Venkatakrishnan, University of Illinois, Chicago, USA

When an application reads private / sensitive infor- mation and subsequently communicates on an output channel such as a public file or a network connection, how can we ensure that the data written is free of private information? In this paper, we address this question in a practical setting through the use of a technique that we call "data sandboxing" . Essentially, data sandboxing is implemented using the popular technique of system call interposition to mediate output channels used by a pro- gram. To distinguish between private and public data, the program is partitioned into two: one that contains all the instructions that handle sensitive data and the other containing the rest of the instructions. This parti- tioning is performed based on techniques from program slicing. When run together, these two programs collec- tively replace the original program. To address confi- dentiality, these programs are sandboxed with different system call interposition based policies. We discuss the design and implementation of a tool that enforces con- fidentiality policies on C programs using this technique. We also report our experiences in using our tool over several programs that handle confidential data.

Citation:

Tejas Khatiwala, Raj Swaminathan, V.N. Venkatakrishnan, "Data Sandboxing: A Technique for Enforcing Confidentiality Policies," acsac, pp.223-234, 22nd Annual Computer Security Applications Conference (ACSAC'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.