Scope: We propose Lockdown, a system for improving the security of sensitive applications, while preserving the flexibility, functionality, and performance of non-security-sensitive applications. Lockdown provides strong isolation between a trusted environment intended for security-sensitive applications, and an untrusted environment that runs all of the user’s non- security-related applications. This strong isolation prevents untrusted code from directly attacking trusted applications. It also prevents the trusted applications from receiving maliciously crafted inputs from code in the untrusted environment. To keep the trusted environment pristine, Lockdown only permits known, trusted code to execute. Since this trusted code may still contain bugs, Lockdown ensures that trusted applications can only communicate with trusted sites. This prevents malicious sites from corrupting the applications, and ensures that even if a trusted application is corrupted, it can only leak data to sites the user already trusts with her data.
Outcomes: We have implemented a complete prototype of Lockdown for the Windows OS in 8,471 lines of code, without needing to change a single line of code within the OS. Our initial experience shows that we can provide immediate improvements to security-sensitive tasks while imposing minimal performance overhead on other applications (on an average, only 3% memory overhead and 2.7% storage overhead on non-security-related tasks.