The Internet has become a popular business tool. It provides rapid access to services, instant communication among users and computing systems, and allows for users to collaborate across geographical boundaries. However, in spite of these advantages, the Internet still poses a number of security risks to computing systems. In particular, the vast amount of resources available on the Internet are of unknown origin and communications with such resources are typically unauthenticated. For instance, it is difficult to determine if access to an unknown website resource or receipt of an email causes any security risks to the receiving computing system.
A number of approaches are available that address the security risks associated with using the Internet. One approach involves profiling systems that scan Internet content for known patterns of malicious content such as viruses, worms, etc. Anti-virus scanning software is the most widely used profiling tool for such systems. Such a profiling tool can run automatically when receiving email or downloading web pages. In particular, a server can run profiling software to scan incoming mail or Internet content. A disadvantage of the profiling approach is that the only security risks that are detected are those based on known patterns (e.g., known viruses), which are typically stored in a database. Although the database can be updated with new known patterns, if a pattern is not found in the database, the security risk will not be detected.
Another approach uses cryptographic signatures for guaranteeing the origin of Internet content. A valid signature can only originate from a single signature, generally associated with a signing certificate belonging to an individual user or organization. Knowing the origin of content, a user can make informed decisions about the level of trust or permission to grant to the content. In this manner, the domain of trustable content can be determined based on the signature of the content. A disadvantage of this approach is that too few sources on the Internet use cryptographic signatures when delivering content. Furthermore, both the sending and receiving users must have keys to authenticate the signature. In addition, once content is considered trusted and allowed to run on a computing system, validating the inputs received from the system is problematic. In particular, security attacks based on passing incorrect inputs to processes are well known—e.g., attacks exploiting buffer overflows.
Another approach relates to behavioral pattern-matching systems. These systems monitor the execution history of a user's system, typically in the context of using Internet content. Such systems assess each operation to determine if the operation is allowable in a given context. Moreover, these systems act as dynamically-evolving access control lists in which an operation might be allowed (or not) in one context, but not in other contexts. A disadvantage of this approach is that behavior (operations in a specific context) that is not allowed is based on policy, which can become quite complex in order to prevent unsafe behavior while allowing as much useful behavior as possible.
Another approach uses access control restrictions that can deny certain operations from being performed in a given context. For example, “sandboxing” is a method for activating Internet content in an environment with stricter access controls than a user's normal environment. A sandbox might contain code to start a new restricted execution shell for new content (e.g., a virtual machine for Internet content). A disadvantage of this approach is that it imposes stricter access controls on an application when it is using Internet content. For example, a browser can be prevented from executing JavaScript code to access the file system, or by assigning a special user identity with less privilege than the actual user to Internet content and using the operating system's built-in, user id-based access control schemes (SubOS).
Another approach relates to language-based security that prevents certain statements from being made in the programming language that encodes Internet content. Specifically, this approach enforces strict type-safety to ensure that code can only operate on well-defined set of objects or resources, and compile-time or execution-time checks to ensure that code does not violate security policy. The Java programming language, for example, implements such techniques in that it does not allow a program to allocate and access arbitrary memory segments, enforces strict type definitions, and employs run-time checks to ensure that code does not violate a user's security policy. A disadvantage of this approach is that it requires knowledge of sophisticated programming techniques.
With all of these approaches, there are drawbacks in providing security for Internet content. Furthermore, any approach protecting computing systems from risks relating to Internet use is more useful if it also preserves the unrestricted access to services and content that makes Internet use productive and valuable. Most approaches to the security issue so far have constrained or interrupted much of the freedom to use resources on the Internet in order to provide some increase in security.