A Sandbox Based On User Level Virtualization

With the popularity of internet,the spread of malicious code is faster and faster and the damage no matter to the individual or enterprise can not be negligible.The traditional analysis and detection of malicious program exists a lot of problem.Sandbox born as an application that provides highly isolated environment to suspicious program.By the scale,Virtualization can be divided into Para virtualization and Full virtualization.In this paper,the sandbox is based on user level virtualization.User level virtualization provides the user program direct and safe access to privileges such as ring protect and so on.We called it Dune.Compared to the VMM which provides support for operating system,Dune is more compact.And compared to semi virtualization which needs kernel changed,Dune is just a loadable module.By the run level,there are three kinds of sandbox.One is the application layer sandbox,the second is kernel layer and the last one is the mixed layer sandbox.Based on the analysis of current research of sandbox technology and the existing deficiencies,this paper presents a sandbox based on user level virtualization technology--Dune sandbox.Dune sandbox is a kernel layer sandbox has the following advantages compared with current mainstream sandbox: First,with the help of user level virtualization technology--Dune,Dune sandbox ensures the basic function with streamlined code.Second,through the use of two independent elf loaders,to prevent the attack of malicious code to the sandbox itself and improve the stability of a sandbox.Third,via a hack sys call table,Dune sandbox provides an efficient depth monitoring mechanism for the API call of user program.Fourth,through the strict isolation mechanism,after the Dune sandbox detects the attempts of user program to tamper system,It will be transferred to a safe area.Fifth,by a fast recovery mechanism,non-malicious programs can recovery its functions using folder redirection technology.We have achieved the Dune sandbox on the Linux platform.The concrete realization of the process contains documents isolation,process isolation,and program behavior monitoring and file redirection.The experiment and tests show that Dune sandbox has a high performance with the completion of the basic functions.