Evaluating SFI for a CISC architecture

Stephen McCamant; Greg Morrisett

Evaluating SFI for a CISC architecture

Research output: Contribution to conference › Paper › peer-review

Abstract

Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

Original language	English (US)
Pages	209-224
Number of pages	16
State	Published - 2006
Externally published	Yes
Event	15th USENIX Security Symposium - Vancouver, Canada Duration: Jul 31 2006 → Aug 4 2006

Conference

Conference	15th USENIX Security Symposium
Country/Territory	Canada
City	Vancouver
Period	7/31/06 → 8/4/06

Bibliographical note

Funding Information:
Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and Úlfar Erlingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship.

Funding Information:
Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and Úlfar Er-lingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship.

Publisher Copyright:
© 2006 USENIX Association. All rights reserved.

OpenUrl availability

Full text

Cite this

@conference{1c15aed84ff743ebb5aaa3c46e33b7b4,

title = "Evaluating SFI for a CISC architecture",

abstract = "Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.",

author = "Stephen McCamant and Greg Morrisett",

note = "Funding Information: Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and {\'U}lfar Erlingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship. Funding Information: Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and {\'U}lfar Er-lingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship. Publisher Copyright: {\textcopyright} 2006 USENIX Association. All rights reserved.; 15th USENIX Security Symposium ; Conference date: 31-07-2006 Through 04-08-2006",

year = "2006",

language = "English (US)",

pages = "209--224",

}

TY - CONF

T1 - Evaluating SFI for a CISC architecture

AU - McCamant, Stephen

AU - Morrisett, Greg

N1 - Funding Information: Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and Úlfar Erlingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship. Funding Information: Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and Úlfar Er-lingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship. Publisher Copyright: © 2006 USENIX Association. All rights reserved.

PY - 2006

Y1 - 2006

N2 - Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

AB - Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

UR - http://www.scopus.com/inward/record.url?scp=85072935637&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072935637&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:85072935637

SP - 209

EP - 224

T2 - 15th USENIX Security Symposium

Y2 - 31 July 2006 through 4 August 2006

ER -

Evaluating SFI for a CISC architecture

Abstract

Conference

Bibliographical note

OpenUrl availability

Other files and links

Fingerprint

Cite this