RE: Hypothetical design question

[Jeremy Epstein <jeremy.epstein () webmethods com>]

You might be interested in a paper that was presented/published at the most
recent Annual Computer Security Applications Conference (www.acsac.org).
The idea was to create a transaction approach for running programs.  When
you run a program, it creates a copy-on-write version of every file that
gets modified, and when you're done, the user has the choice of accepting or
rejecting the entire transaction.  If they accept, then all the changes get
"committed"; if you reject then they all get discarded.

There are a lot of limitations to this sort of approach (e.g., it only can
roll back file system activities, and there are problems if you have
multiple simultaneous modifications, and it's hard for a user to tell what's
an OK change and what's not), but it's a starting point.

Full paper available at www.acsac.org; the paper is "Isolated Program
Execution: An Application-Transparent Approach for Executing Untrusted
Programs", by Zhenkai Liang, Stony Brook University.  It won the
"outstanding paper" award.

And tying it to this discussion, using a semi-sandbox of this sort might be
a way of dealing with email attachments.

--Jeremy