In this article, we present an approach for realizing a safe execution environment (SEE) that enables users to “try out” new software (or configuration changes to existing software) without the fear of damaging the system in any manner. A key property of our SEE is that it faithfully reproduces the behavior of applications, as if they were running natively on the underlying (host) operating system. This is accomplished via one-way isolation: processes running within the SEE are given read-access to the environment provided by the host OS, but their write operations are prevented from escaping outside the SEE. As a result, SEE processes cannot impact the behavior of host OS processes, or the integrity of data on the host OS. SEEs support a wide range of tasks, including: study of malicious code, controlled execution of untrusted software, experimentation with software configuration changes, testing of software patches, and so on. It provides a convenient way for users to inspect system changes made within the SEE. If these changes are not accepted, they can be rolled back at the click of a button. Otherwise, the changes can be committed so as to become visible outside the SEE. We provide consistency criteria that ensure semantic consistency of the committed results. We develop two different implementation approaches, one in user-land and the other in the OS kernel, for realizing a safe-execution environment. Our implementation results show that most software, including fairly complex server and client applications, can run successfully within our SEEs. It introduces low performance overheads, typically below 10 percent.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anurag Acharya , Mandar Raje, MAPbox: using parameterized behavior classes to confine untrusted applications, Proceedings of the 9th conference on USENIX Security Symposium, p.1-1, August 14-17, 2000, Denver, Colorado
	2	Alcatraz. http://www.seclab.cs.sunysb.edu/alcatraz.
	3	Bochs. http://bochs.sourceforge.net.
	4	Aaron B. Brown , David A. Patterson, Undo for operators: building an undoable e-mail store, Proceedings of the annual conference on USENIX Annual Technical Conference, p.1-1, June 09-14, 2003, San Antonio, Texas
	5	Peter M. Chen , Brian D. Noble, When Virtual Is Better Than Real, Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p.133, May 20-22, 2001
	6	Tzi-cker Chiueh , Harish Sankaran , Anindya Neogi, Spout: A Transparent Distributed Execution Engine for Java Applets, Proceedings of the The 20th International Conference on Distributed Computing Systems ( ICDCS 2000), p.394, April 10-13, 2000
	7	Chutani, S., Anderson, O. T., Kazar, M. L., Leverett, B. W., Mason, W. A., and Sidebotham, R. N. 1992. The episode file system. In Proceedings of the USENIX Technical Conference (USENIX’92).
	8	Dan, A., Mohindra, A., Ramaswami, R., and Sitaram, D. 1997. Chakravyuha: A sandbox operating system for the controlled execution of alien code. Tech. rep., IBM T.J. Watson Research Center.
	9	Fakebust. Fakebust, a malicious code analyzer. http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0251.html.
	10	Garfinkel, T. 2003. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the Annual Network & Distributed Systems Security Conference (NDSS’’03).
	11	Ashvin Goel , Kenneth Po , Kamran Farhadi , Zheng Li , Eyal de Lara, The taser intrusion recovery system, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
	12	Ian Goldberg , David Wagner , Randi Thomas , Eric A. Brewer, A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.1-1, July 22-25, 1996, San Jose, California
	13	Jain, K. and Sekar, R. 2000. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In Proceedings of the Annual Network and Distributed System Security (NDSS’00).
	14	S. Jajodia , P. Liu , C. D. McCollum, Application-Level Isolation to Cope with Malicious Database Users, Proceedings of the 14th Annual Computer Security Applications Conference, p.73, December 07-11, 1998
	15	Katcher, J. 1997. Postmark: A new file system benchmark. Tech. rep. TR3022, Network Applicance Inc.
	16	Kato, K. and Oyama, Y. 2003. Softwarepot: An encapsulated transferable file system for secure software circulation. In Proceedings of the International Symposium on Software Security (ISSS’03).
	17	Samuel T. King , Peter M. Chen , Yi-Min Wang , Chad Verbowski , Helen J. Wang , Jacob R. Lorch, SubVirt: Implementing malware with virtual machines, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.314-327, May 21-24, 2006  [doi>10.1109/SP.2006.38]
	18	D. G. Korn , E. Krell, A new dimension for the UNIX file system, Software—Practice & Experience, v.20 n.S1, p.19-34, June 1990  [doi>10.1002/spe.4380201304]
	19	Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973  [doi>10.1145/362375.362389]
	20	Zhenkai Liang , V. N. Venkatakrishnan , R. Sekar, Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs, Proceedings of the 19th Annual Computer Security Applications Conference, p.182, December 08-12, 2003
	21	Peng Liu , Sushil Jajodia , Catherine D. McCollum, Intrusion confinement by isolation in information systems, Journal of Computer Security, v.8 n.4, p.243-279, Dec. 2000
	22	Lofs. Loop back file system. Unix man page.
	23	Dahlia Malkhi , Michael K. Reiter, Secure Execution of Java Applets Using a Remote Playground, IEEE Transactions on Software Engineering, v.26 n.12, p.1197-1209, December 2000  [doi>10.1109/32.888632]
	24	Kiran-Kumar Muniswamy-Reddy , Charles P. Wright , Andrew Himmer , Erez Zadok, A Versatile and User-Oriented Versioning File System, Proceedings of the 3rd USENIX Conference on File and Storage Technologies, March 31-31, 2004, San Francisco, CA
	25	Ormandy, T. An empirical study into the security exposure to hosts of hostile virtualized environments. http://taviso.decsystem.org/virtsec.pdf.
	26	Steven Osman , Dinesh Subhraveti , Gong Su , Jason Nieh, The design and implementation of Zap: a system for migrating computing environments, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060323]
	27	Jan-Simon Pendry , Marshall Kirk McKusick, Union mounts in 4.4BSD-lite, Proceedings of the USENIX 1995 Technical Conference Proceedings on USENIX 1995 Technical Conference Proceedings, p.3-3, January 16-20, 1995, New Orleans, Louisiana
	28	Pendry, J. S., Williams, N., and Zadok, E. Am-utils user manual, 6.1b3 edition, July 2003. http://www.am-utils.org.
	29	Peterson, Z. and Burns, R. 2003. Ext3cow: The design, implementation, and analysis of metadata for a time-shifting file system. Tech. rep. HSSL-2003-03, Hopkins Storage Systems Lab, Department of Computer Science, Johns Hopkins University.
	30	Picturepages. Picturepages software. http://www.canonical.org/picturepages.
	31	Pilania, D. and Chiueh, T. 2003. Design, implementation, and evaluation of an intrusion resilient database system. In Proceedings of the International Conference on Dependable Systems and Networks (DSN’03).
	32	Vassilis Prevelakis , Diomidis Spinellis, Sandboxing Applications, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.119-126, June 25-30, 2001
	33	Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
	34	Sean Quinlan , Sean Dorward, Venti: A New Approach to Archival Storage, Proceedings of the Conference on File and Storage Technologies, p.89-101, January 28-30, 2002
	35	ROC. Recovery-oriented computing. http://roc.cs.berkeley.edu.
	36	Roome, W. D. 1991. 3DFS: A time-oriented file server. In Proceedings of the USENIX Technical Conference (USENIX’91).
	37	Douglas J. Santry , Michael J. Feeley , Norman C. Hutchinson , Alistair C. Veitch, Elephant: The File System that Never Forgets, Proceedings of the The Seventh Workshop on Hot Topics in Operating Systems, p.2, March 28-30, 1999
	38	Kevin Scott , Jack Davidson, Safe Virtual Execution Using Software Dynamic Translation, Proceedings of the 18th Annual Computer Security Applications Conference, p.209, December 09-13, 2002
	39	Sekar, R., Cai, Y., and Segal, M. 1998. A specification-based approach for building survivable systems. In Proceedings of the National Information Systems Security Conference (NISSC’98).
	40	R. Sekar , P. Uppuluri, Synthesizing fast intrusion prevention/detection systems from high-level specifications, Proceedings of the 8th conference on USENIX Security Symposium, p.6-6, August 23-26, 1999, Washington, D.C.
	41	SoftGrid. http://www.microsoft.com/systemcenter/softgrid/default.mspx.
	42	Soules, C., Goodson, G., Strunk, J., and Ganger, G. 2002. Metadata efficiency in a comprehensive versioning file system. In Proceedings of the USENIX Conference on File and Storage Technologies (FAST’02).
	43	Strace. http://www.liacs.nl/~wichert/strace.
	44	Sun, W., Liang, Z., Sekar, R., and Venkatakrishnan, V. 2005. One-way isolation: An effective approach for realizing safe execution environments. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’05).
	45	SVS. Software virtualization solution. http://www.altiris.com/Products/SoftwareVirtualizationSolution.aspx.
	46	TFS. Translucent file system. SunOS Reference Manual, Sun Microsystems.
	47	Tiilikainen, T. Rename-them-all, linux freeware version. http://linux.iconet.com.br/system/preview/8622.html.
	48	Premchand Uppuluri , R. Sekar, Intrusion detection/prevention using behavior specifications, State University of New York at Stony Brook, Stony Brook, NY, 2003
	49	VirtualPC. http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx.
	50	VMWare. http://www.vmware.com.
	51	VMware. VMware Converter. http://www.vmware.com/products/converter.
	52	Webstone. http://www.mindcraft.com/webstone.
	53	Whitaker, A., Shaw, M., and Gribble, S. 2002. Denali: Lightweight virtual machines for distributed and networked applications. In Proceedings of the USENIX Annual Technical Conference (USENIX’02).
	54	Yang Yu , Fanglu Guo , Susanta Nanda , Lap-chung Lam , Tzi-cker Chiueh, A feather-weight virtual machine for windows applications, Proceedings of the 2nd international conference on Virtual execution environments, June 14-16, 2006, Ottawa, Ontario, Canada  [doi>10.1145/1134760.1134766]
	55	Erez Zadok , Ion Badulescu , Alex Shender, Extending file systems using stackable templates, Proceedings of the annual conference on USENIX Annual Technical Conference, p.5-5, June 06-11, 1999, Monterey, California
	56	Zhu, N. 2003. Data versioning systems. Tech. rep., Stony Brook University.
	57	Zhu, N. and Chiueh, T. 2003. Design, implementation, and evaluation of repairable file service. In Proceedings of the International Conference on Dependable Systems and Networks (DSN’03).