Evaluating SFI for a CISC architecture

Stephen McCamant, Greg Morrisett

Research output: Contribution to conferencePaperpeer-review


Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

Original languageEnglish (US)
Number of pages16
StatePublished - 2006
Externally publishedYes
Event15th USENIX Security Symposium - Vancouver, Canada
Duration: Jul 31 2006Aug 4 2006


Conference15th USENIX Security Symposium

Bibliographical note

Funding Information:
Bryan Ford provided us with the VXA infrastructure used in the case study of Section 8, and Mihai Budiu and Úlfar Er-lingsson provided results for Figure 9 and answered other questions about CFI. Members of the MIT PDOS and PAG groups, and the Harvard programming languages and compilers groups, provided a number of helpful suggestions. The first author is supported by a National Defense Science and Engineering Graduate Fellowship.

Fingerprint Dive into the research topics of 'Evaluating SFI for a CISC architecture'. Together they form a unique fingerprint.

Cite this