Portable Integrity Protection System (PIP)
Commonly deployed solutions can be divided into sandboxing and isolation. They have their own strengths and weaknesses: Sandboxing preserves resource namespace. Applications have the same view of resources and hence PIP facilitates application composition. However, it is difficult to develop untrusted code policies that preserve usability and protect against sophisticated malware. On the other hand, isolation permits sufficient access for most applications to work while separating the resources used by benign and untrusted processes. It also requires no policy development, making untrusted processes usable. However, user data is partitioned into multiple containers, making it hard to compose applications. To share data across containers, data has to be transferred out-of-band. As such, malware may also be transferred and to breach the security.
The goal of our approach is to provide same security protection as isolation but under a single, unfragmented view of user's data. It is natural to start with the sandboxing model. However, as mentioned earlier, it is difficult to develop secure yet functional sandboxing policies for untrusted code. So, we focus policy enforcement on goodware rather than (potential) malware. In addition to preventing subversion attacks on benign software, our design utilizes benign sandboxing to relax and simplify policies on untrusted code, thus improving their usability as well as security.
- decomposed sandbox architecture: combine sandboxing for untrusted and benign processes to simplify the design and implementation
- techniques for inferring policies from runtime time and profile data for untrusted processes
- system integrity assurance
- sparing users from making security-critical policy decisions
- portable implementation (supports both Linux, BSD, and Windows OSes)
Shipped under GPLv3. The download is available in the following formats:
- A preconfigured Linux VM image in the open virtual architecture (ova) format. A README file is also available.
- A source tarball. Please read the README and DOCUMENTATION
file in the package for more information. The package includes an installer that
can install the system on 32-bit Ubuntu 10.04 in two commands:
cd lwip_installation sudo ./install.sh
- A precompiled binary for Windows VM available for download (select IE11 on Win8.1), as well as source code in Microsoft Visual Studio project format. A README file is also available.
This work was supported in part by an AFOSR grant FA9550-09-1-0539, an NSF grant CNS-0831298, an ONR grant N000140710928, and a DARPA contract FA8650-15-C-7561.