See our ACSAC 2003 "Outstanding Paper" and NDSS 2005 paper for an overview of this approach.


The goal of Alcatraz is to enable safe execution of untrusted code. Unlike sandboxing approches that restrict file access, Alcatraz allows untrusted code to access the entire file system. This factor enables most programs to run successfully under Alcatraz, as opposed to experiencing runtime aborts/exceptions due to security violations.

Alcatraz ensures system integrity by isolating changes made by untrusted process(es) so that they are invisible to other processes. This file-level isolation is achieved using isolation contexts, which can be thought of as a "private copy" of the entire file system. The untrusted process and all its children run within an isolation context, so that they all have a consistent view of the system. Isolation contexts are implemented using a copy-on-write technique, so that their storage requirements are proportional to the changes made within them, and not to the size of the entire file system. Performance overheads are modest for the application domain.

An important benefit of Alcatraz is that users don't have to specify what it means for untrusted software to operate correctly or securely. They simply run the code, and examine the results produced by the code. If the results are acceptable to them, they are committed to the file system. Otherwise, all changes made by untrusted code are discarded. This feature enables Alcatraz to be used beyond the domain of untrusted applications, e.g., to do a trial installation and testing of software. The test installation enables a user to assess whether the software solves the specific problem of interest to them, and address issues such as interactions with other software installated on the same machine.


Shipped under GPL. Current version: 0.6.4.
Alcatraz is a plug-in of etrace, which needs to be installed first.

Compatible OS: RedHat Linux 7.3, 8.0, Fedora Core 2, Red Hat Enterprise Linux 4/CentOS 4.