FlexBox: Sandboxing Internet servers based on layer-7 contexts

Ayumu Tanoue, Makoto Shimamura, Miyuki Hanaoka, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Internet servers are constantly exposed to malicious attacks launched remotely. Sandbox is a promising approach to reducing the damage caused by malicious attacks. A sandbox system provides a restricted environment for executing programs/codes from an Internet server, in which the accessible resources are limited to those required for legal execution. However, traditional sandbox systems are not suitable for preventing sensitive files, legally accessed by Internet servers, from being leaked or tampered. A sandbox system must permit access to sensitive files if the sandboxed server requires access to them. This paper presents FlexBox, a novel sandbox system that reduces the possibility of leaking or tampering with sensitive files accessed by Internet servers. The key observation is that Internet servers typically have several execution states, each of which requires different access rights to resources such as files, especially sensitive files that are usually accessed only in a few execution states. Therefore, if FlexBox dynamically changes a set of accessible files according to servers' execution states, it is expected to dramatically reduce the possibility of information leakage/tampering. To obtain the execution states of Internet servers, FlexBox exploits the layer-7 contexts of Internet servers, i.e., it monitors the network messages exchanged between the server and clients. We demonstrate that FlexBox can be applied to several real Internet servers and the overhead from FlexBox is reasonably low.

Original languageEnglish
Title of host publicationIEEE Symposium on Computers and Communications 2008, ISCC 2008
Number of pages6
Publication statusPublished - 2008
Event13th IEEE Symposium on Computers and Communications, ISCC 2008 - Marrakech, Morocco
Duration: 2008 Jul 62008 Jul 9

Publication series

NameProceedings - IEEE Symposium on Computers and Communications
ISSN (Print)1530-1346


Other13th IEEE Symposium on Computers and Communications, ISCC 2008

ASJC Scopus subject areas

  • Software
  • Signal Processing
  • Mathematics(all)
  • Computer Science Applications
  • Computer Networks and Communications


Dive into the research topics of 'FlexBox: Sandboxing Internet servers based on layer-7 contexts'. Together they form a unique fingerprint.

Cite this