Evaluating SFI for a CISC architecture

Stephen McCamant; Greg Morrisett

Evaluating SFI for a CISC architecture

Stephen McCamant
, Greg Morrisett

Research output: Contribution to conference › Paper › peer-review

Abstract

Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

Original language	English (US)
Pages	209-224
Number of pages	16
State	Published - 2006
Externally published	Yes
Event	15th USENIX Security Symposium, USENIX Security 2006 - Vancouver, Canada Duration: Jul 31 2006 → Aug 4 2006

Conference

Conference	15th USENIX Security Symposium, USENIX Security 2006
Country/Territory	Canada
City	Vancouver
Period	7/31/06 → 8/4/06

Bibliographical note

Publisher Copyright:
© 2006 USENIX Association. All rights reserved.

Find It

Find It at U of M Libraries

Cite this

@conference{061235c1885e404093c3d468dd2e7239,

title = "Evaluating SFI for a CISC architecture",

abstract = "Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21\% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.",

author = "Stephen McCamant and Greg Morrisett",

year = "2006",

language = "English (US)",

pages = "209--224",

}

TY - CONF

T1 - Evaluating SFI for a CISC architecture

AU - McCamant, Stephen

AU - Morrisett, Greg

PY - 2006

Y1 - 2006

N2 - Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

AB - Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

UR - https://www.scopus.com/pages/publications/85072935637

UR - https://www.scopus.com/pages/publications/85072935637#tab=citedBy

M3 - Paper

AN - SCOPUS:85072935637

SP - 209

EP - 224

T2 - 15th USENIX Security Symposium, USENIX Security 2006

Y2 - 31 July 2006 through 4 August 2006

ER -

Evaluating SFI for a CISC architecture

Abstract

Conference

Bibliographical note

Find It

Other files and links

Fingerprint

Cite this