3rd International ICST Symposium on Information Assurance and Security

Research Article

Accurate Application-Specific Sandboxing for Win32/Intel Binaries

  • @INPROCEEDINGS{10.1109/IAS.2007.86,
        author={Wei  Li and Lap-chung  Lam and Tzi-cker  Chiueh},
        title={Accurate Application-Specific Sandboxing for Win32/Intel Binaries},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        keywords={Application software  Birds  Buffer overflow  Business  Companies  Computer security  Computerized monitoring  Control systems  Libraries  Subscriptions},
  • Wei Li
    Lap-chung Lam
    Tzi-cker Chiueh
    Year: 2007
    Accurate Application-Specific Sandboxing for Win32/Intel Binaries
    DOI: 10.1109/IAS.2007.86
Wei Li1, Lap-chung Lam1, Tzi-cker Chiueh1
  • 1: Computer Science Department Stony Brook University


Comparing the system call sequence of a network application against a sandboxing policy is a popular approach to detecting control-hijacking attack, in which the attacker exploits such software vulnerabilities as buffer overflow to take over the control of a victim application and possibly the underlying machine. The long-standing technical barrier to the acceptance of this system call monitoring approach is how to derive accurate sandboxing policies for Windows applications whose source code is unavailable. In fact, many commercial computer security companies take advantage of this fact and fashion a business model in which their users have to pay a subscription fee to receive periodic updates on the application sandboxing policies, much like anti-virus signatures. This paper describes the design, implementation and evaluation of a sandboxing system called BASS that can automatically extract a highly accurate application-specific sandboxing policy from a Win32/X86 binary, and enforce the extracted policy at run time with low performance overhead. BASS is built on a binary interpretation and analysis infrastructure called BIRD, which can handle application binaries with dynamically linked libraries, exception handlers and multi-threading, and has been shown to work correctly for a large number of commercially distributed Windows- based network applications, including IIS and Apache. The throughput and latency penalty of BASS for all the applications we have tested except one is under 8%.