Secure mobile code execution service
Tzi-cker Chiueh State University of New York, Stony Brook
Mobile code refers to programs that come into a host computer over the network and start to execute with or without user's
knowledge or consent. Examples of mobile code include a Java script embedded within an HTML page, a Visual-Basic script
contained in a Word document, an HTML Help file, an ActiveX Control, a Java applet, a transparent browser plug-in or
DLL, a new document viewer installed on demand, an explicitly down-loaded executable binary, etc. Because these programs
run in the execution context of the user that downloads them, they can execute arbitrary programs that the user is allowed
to run, including deleting files, modifying configurations or registry entries, sending emails, or installing
back-door programs in the home directory.
In this paper, we will describe an isolation approach to secure mobile code
execution, in which mobile code coming into a host computer as an email attachment, as an object downloaded through an
anchor link, or as a file retrieved from the network via FTP or a P2P application, will be executed on a separate guinea
pig machine rather than the user's own machine. As a result, it guarantees that no malicious mobile code of this form
can inflict upon the resources on the user machine, act on behalf of the user, or leak confidential information.
In particular, even zero-day virus cannot cause any damage. We will discuss the design, implementation and evaluation of
a secure mobile code execution service based on this approach, and contrast it with other existing approaches to the same
problem.
VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada.
Early bird discount available until 15th June 2010.