Check out the new USENIX Web site. next up previous
Next: Acknowledgments Up: User-level Resource-constrained Sandboxing Previous: Extensibility of User-level Sandboxing

Conclusion and Future Work

This paper describes the construction of a user-level resource-constrained sandbox, which exploits widely available OS features to impose quantitative restrictions on an application's resource usage. It evaluates a concrete implementation of the sandbox on Windows NT, using three representative resource types as examples: CPU, memory, and network. Our evaluation shows that the user-level sandboxing approach can achieve accurate quantitative restrictions on resource usage with minimal run-time overhead, and can be easily extended to support application-specific constraining policies.

In future work, we plan to develop a security architecture that ensures sandbox compliance from malicious applications at a finer granularity and address problems arising from priority inversion and the absence of real-time scheduling.



Fangzhe Chang, Ayal Itzkovitz, and Vijay Karamcheti 
2000-05-15