Introduction

In UNIX, system calls are the gateway to privileged operations.
A successful system compromise is possible only via system calls.

Restrict system calls to limit the damage an adversary can cause.
Restrictions are determined by a security policy.
Policies tend to be difficult to define.

Previous confinement or sand boxing research:
Goldberg and Wagner's Janus. Drawbacks:
Policy difficult to define.
Applications may not chdir, etc.
Jain and Sekar's User-Level Infrastructure. Drawbacks:
Policy implemented as C++.
Policy difficult to define.