Policy-Directed Code Safety

David E. Evans

October 19, 1999

The complete thesis (137 pages) is available as:

If these don't work for you, mail me and I will either generate a new format or send you a paper copy.


Executing code can be dangerous. This thesis describes a scheme for protecting the user by constraining the behavior of an executing program. We introduce Naccio, a general architecture for constraining the behavior of program executions. Naccio consists of languages for defining safety policies in a platform-independent way and a system architecture for enforcing those policies on executions by transforming programs. Prototype implementations of Naccio have been built that enforce policies on JavaVM classes and Win32 executables.

Naccio addresses two weaknesses of current code safety systems. One problem is that current systems cannot enforce policies with sufficient precision. For example, a system such as the Java sandbox cannot enforce a policy that limits the rate at which data is sent over the network without denying network use altogether since there are no safety checks associated with sending data. The problem is more fundamental than simply the choices about which safety checks to provide. The system designers were hamstrung into providing only a limited number of checks by a design that incurs the cost of a safety check regardless of whether it matters to the policy in effect. Because Naccio statically analyzes and compiles a policy, it can support safety checks associated with any resource manipulation, yet the costs of a safety check are incurred only when the check is relevant.

Another problem with current code safety systems is that policies are defined in ad hoc and platform-specific ways. The author of a safety policy needs to know low-level details about a particular platform and once a safety policy has been developed and tested it cannot easily be transferred to a different platform. Naccio provides a platform-independent way of defining safety policies in terms of abstract resources. Safety policies are described by writing code fragments that account for and constrain resource manipulations. Resources are described using abstract objects with operations that correspond to manipulations of the corresponding system resource. A platform interface provides an operational specification of how system calls affect resources. This enables safety policies to be described in a platform-independent way and isolates most of the complexity of the system.

This thesis motivates and describes the design of Naccio, demonstrates how a large class of safety policies can be defined, and evaluates results from our experience with the prototype implementations.

David Evans