XFI: software guards for system address spaces

XFI is a comprehensive protection system that offers both flexible access control and fundamental integrity guarantees, at any privilege level and even for legacy code in commodity systems. For this purpose, XFI combines static analysis with inline software guards and a two-stack execution model. We have implemented XFI for Windows on the x86 architecture using binary rewriting and a simple, stand-alone verifier; the implementation's correctness depends on the verifier, but not on the rewriter. We have applied XFI to software such as device drivers and multimedia codecs. The resulting modules function safely within both kernel and user-mode address spaces, with only modest enforcement overheads.

[1]  Peter Deutsch,et al.  A Flexible Measurement Tool for Software Systems , 1971, IFIP Congress.

[2]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[3]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[4]  Brian N. Bershad,et al.  Some Issues in the Design of an Extensible Operating System (Panel Statement) , 1994, OSDI.

[5]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[6]  Emin Gün Sirer,et al.  Protection is a software issue , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[7]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[8]  Miodrag Potkonjak,et al.  MediaBench: a tool for evaluating and synthesizing multimedia and communications systems , 1997, Proceedings of 30th Annual International Symposium on Microarchitecture.

[9]  Margo I. Seltzer,et al.  MiSFIT: constructing safe extensible systems , 1998, IEEE Concurr..

[10]  Grady Booch,et al.  Essential COM , 1998 .

[11]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[12]  Walter Oney,et al.  Programming the Microsoft Windows Driver Model , 1999 .

[13]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[14]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[15]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[16]  Andrew W. Appel,et al.  A semantic model of types and machine instructions for proof-carrying code , 2000, POPL '00.

[17]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[18]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[19]  Walter Oney Programming the Microsoft Windows Driver Model, Second Edition , 2002 .

[20]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[21]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[22]  Krste Asanovic,et al.  Hardware Works, Software Doesn't: Enforcing Modularity with Mondriaan Memory Protection , 2003, HotOS.

[23]  HarrisTim,et al.  Xen and the art of virtualization , 2003 .

[24]  George C. Necula,et al.  Capriccio: scalable threads for internet services , 2003, SOSP '03.

[25]  Derek Bruening,et al.  An infrastructure for adaptive dynamic optimization , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[26]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[27]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[28]  Mark Russinovich,et al.  Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer) , 2004 .

[29]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[30]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[31]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[32]  Martín Abadi,et al.  A Theory of Secure Control Flow , 2005, ICFEM.

[33]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[34]  George C. Necula,et al.  Enforcing Resource Bounds via Static Verification of Dynamic Checks , 2005, ESOP.

[35]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[36]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[37]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[38]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[39]  George C. Necula,et al.  A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety , 2006, VMCAI.

[40]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.