Light-weight proactive approach for safe execution of untrusted code

Today's malware attacks are cleverly crafted and cause huge loss of resources. Existing proactive defense mechanisms against malware include isolation, sandboxing, information flow tracking, etc. These mechanisms completely block information flow on the system. But sometimes we do need the functionality provided by software from untrusted or unknown sources that are not malicious. The problem that we try to solve here is of executing this untrusted code on a real system so that it can coexist with other applications in the same environment, thus allowing safe information flow. At the same time we want to protect the system so that it does not get compromised due to untrusted information. Available approaches for information flow tracking are intrusive and require significant kernel changes, thus making them difficult to port and maintain across different operating systems or even newer version of the same OS. We propose a light-weight approach, based on userid, for proactive integrity protection and safe execution of untrusted code. We mediate all information flow in the system in order to provide protection from sophisticated malware and attacks.