Portable Integrity Protection System (PIP)

Introduction

Portable Integrity Protection (PIP) System protects system integrity from untrusted code/data that may harbor sophisticated malware. It is based on a dual-sandboxing architecture to confine not only untrusted, but also benign processes. By confining both untrusted and benign processes, the untrusted sandbox places only a few restrictions, thereby permitting most untrusted applications to function normally. Integrity of benign processes can be protected at the same time.

Commonly deployed solutions can be divided into sandboxing and isolation. They have their own strengths and weaknesses: Sandboxing preserves resource namespace. Applications have the same view of resources and hence PIP facilitates application composition. However, it is difficult to develop untrusted code policies that preserve usability and protect against sophisticated malware. On the other hand, isolation permits sufficient access for most applications to work while separating the resources used by benign and untrusted processes. It also requires no policy development, making untrusted processes usable. However, user data is partitioned into multiple containers, making it hard to compose applications. To share data across containers, data has to be transferred out-of-band. As such, malware may also be transferred and to breach the security.

The goal of our approach is to provide same security protection as isolation but under a single, unfragmented view of user's data. It is natural to start with the sandboxing model. However, as mentioned earlier, it is difficult to develop secure yet functional sandboxing policies for untrusted code. So, we focus policy enforcement on goodware rather than (potential) malware. In addition to preventing subversion attacks on benign software, our design utilizes benign sandboxing to relax and simplify policies on untrusted code, thus improving their usability as well as security.

Key features

• decomposed sandbox architecture: combine sandboxing for untrusted and benign processes to simplify the design and implementation
• techniques for inferring policies from runtime time and profile data for untrusted processes
• system integrity assurance
• sparing users from making security-critical policy decisions
• portable implementation (supports both Linux, BSD, and Windows OSes)

Download and Installation

Shipped under GPLv3. The download is available in the following formats:

• A preconfigured Linux VM image in the open virtual architecture (ova) format. A README file is also available.
• A source tarball. Please read the README and DOCUMENTATION file in the package for more information. The package includes an installer that can install the system on 32-bit Ubuntu 10.04 in two commands:

  cd lwip_installation
  sudo ./install.sh

• A precompiled binary for Windows VM available for download (select IE11 on Win8.1), as well as source code in Microsoft Visual Studio project format. A README file is also available.

The system was also ported to 32-bit PCBSD 8.0. The above installation packages, however, have been tested on 32-bit Ubuntu 10.04 and 32-bit Windows 8.1 only. Users interested in installing the system on BSD or other Windows systems can send email (wsze at cs dot stonybrook dot edu) to request for information regarding installation instructions.

Acknowledgements

This work was supported in part by an AFOSR grant FA9550-09-1-0539, an NSF grant CNS-0831298, an ONR grant N000140710928, and a DARPA contract FA8650-15-C-7561.