MAPbox: Using Parameterized Behavior Classes to Confine Applications

Designing a suitable mechanism to confine commonly used applications ischallenging as such a mechanism needs to satisfy conflicting requirements. Thetrade-off is between configurability and ease of use. In this paper, wepresent the design, implementation and evaluation of MAPbox, ageneral-purpose confinement mechanism that retains the ease of use ofspecialized sandboxes such as Janus and SBOX while providing significantly moreconfigurability. The key idea is to group application behaviors into classesbased on the expected functionality and the resources required to achieve thatfunctionality. Classification of behaviors provides a set of behavior labels(class names) that can be used to concisely communicate the expectedfunctionality of programs between the provider and the users. This issimilar to the MIME-types used to concisely describe the expected formatof data files. Classification of application behaviors also allowsclass-specific sandboxes to be built and instantiated for each behavior class.We present a study of the behavior and resource requirements of a set ofcommonly used applications and use the results of this study to define a set ofapplication behavior classes. We also evaluate how effective this technique isin confining a variety of commonly used applications and how much overhead itintroduces.