Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

Portable Integrity Protection System (PIP)


Portable Integrity Protection (PIP) System protects system integrity from untrusted code/data that may harbor sophisticated malware. It is based on a dual-sandboxing architecture to confine not only untrusted, but also benign processes. By confining both untrusted and benign processes, the untrusted sandbox places only a few restrictions, thereby permitting most untrusted applications to function normally. Integrity of benign processes can be protected at the same time.

Commonly deployed solutions can be divided into sandboxing and isolation. They have their own strengths and weaknesses: Sandboxing preserves resource namespace. Applications have the same view of resources and hence PIP facilitates application composition. However, it is difficult to develop untrusted code policies that preserve usability and protect against sophisticated malware. On the other hand, isolation permits sufficient access for most applications to work while separating the resources used by benign and untrusted processes. It also requires no policy development, making untrusted processes usable. However, user data is partitioned into multiple containers, making it hard to compose applications. To share data across containers, data has to be transferred out-of-band. As such, malware may also be transferred and to breach the security.

The goal of our approach is to provide same security protection as isolation but under a single, unfragmented view of user's data. It is natural to start with the sandboxing model. However, as mentioned earlier, it is difficult to develop secure yet functional sandboxing policies for untrusted code. So, we focus policy enforcement on goodware rather than (potential) malware. In addition to preventing subversion attacks on benign software, our design utilizes benign sandboxing to relax and simplify policies on untrusted code, thus improving their usability as well as security.

Key features

  • decomposed sandbox architecture: combine sandboxing for untrusted and benign processes to simplify the design and implementation
  • techniques for inferring policies from runtime time and profile data for untrusted processes
  • system integrity assurance
  • sparing users from making security-critical policy decisions
  • portable implementation (supports both Linux, BSD, and Windows OSes)

Download and Installation

Shipped under GPLv3. The download is available in the following formats:

The system was also ported to 32-bit PCBSD 8.0. The above installation packages, however, have been tested on 32-bit Ubuntu 10.04 and 32-bit Windows 8.1 only. Users interested in installing the system on BSD or other Windows systems can send email (wsze at cs dot stonybrook dot edu) to request for information regarding installation instructions.


This work was supported in part by an AFOSR grant FA9550-09-1-0539, an NSF grant CNS-0831298, an ONR grant N000140710928, and a DARPA contract FA8650-15-C-7561.

Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.