Data Sandboxing for Confidentiality

When an application that reads private information communicates on an output channel such as a file or a network connection that is visible, how can we ensure a policy that the data written is free of private information? We address this question for a practical setting in this work through the use of a technique called data sandboxing. Essentially, data sandboxing intends to use the popular technique of system call interposition to mediate operations in communication channels such as files. The problem with such interposition techniques is that they cannot distinguish between operations that intend to process sensitive information from those that do not. As a result, any confidentiality policy that blocks writes to public output channels will essentially fail to successfully execute programs. To distinguish between sensitive and public data in programs, we partition the application into two different programs (that are separated through standard address spaces) and enforce two different confidentiality policies on them. The first program performs operations on public output channels, and the confidentiality policy does not allow it to read sensitive information. The second program is allowed to read sensitive information, but is not allowed to write to public channels. This partitioning enables it to successfully enforce a confidentiality policy that in totality prevents leakage of sensitive information from the original program on publicly observable channels. We perform such partitioning based on techniques from program slicing. In this talk, we sketch the design, implementation and evaluation of a tool that enforces confidentiality policies on C programs using the technique described above.

To be presented at the Annual Computer Applications Security Conference (ACSAC), Miami, FL, December 2006.