Data Sandboxing: A Technique for Enforcing Confidentiality Policies

When an application reads private / sensitive infor- mation and subsequently communicates on an output channel such as a public file or a network connection, how can we ensure that the data written is free of private information? In this paper, we address this question in a practical setting through the use of a technique that we call "data sandboxing" . Essentially, data sandboxing is implemented using the popular technique of system call interposition to mediate output channels used by a pro- gram. To distinguish between private and public data, the program is partitioned into two: one that contains all the instructions that handle sensitive data and the other containing the rest of the instructions. This parti- tioning is performed based on techniques from program slicing. When run together, these two programs collec- tively replace the original program. To address confi- dentiality, these programs are sandboxed with different system call interposition based policies. We discuss the design and implementation of a tool that enforces con- fidentiality policies on C programs using this technique. We also report our experiences in using our tool over several programs that handle confidential data.