Enclosure: language-based restriction of untrusted libraries

Programming languages and systems have failed to address the security implications of the increasingly frequent use of public libraries to construct modern software. Most languages provide tools and online repositories to publish, import, and use libraries; however, this double-edged sword can incorporate a large quantity of unknown, unchecked, and unverified code into an application. The risk is real, as demonstrated by malevolent actors who have repeatedly inserted malware into popular open-source libraries. This paper proposes a solution: enclosures, a new programming language construct for library isolation that provides a developer with fine-grain control over the resources that a library can access, even for libraries with complex inter-library dependencies. The programming abstraction is language-independent and could be added to most languages. These languages would then be able to take advantage of hardware isolation mechanisms that are effective across language boundaries. The enclosure policies are enforced at run time by LitterBox, a language-independent framework that uses hardware mechanisms to provide uniform and robust isolation guarantees, even for libraries written in unsafe languages. LitterBox currently supports both Intel VT-x (with general-purpose extended page tables) and the emerging Intel Memory Protection Keys (MPK). We describe an enclosure implementation for the Go and Pythonlanguages. Our evaluation demonstrates that the Go implementation can protect sensitive data in real-world applications constructed using complex untrusted libraries with deep dependencies. It requires minimal code refactoring and incurs acceptable performance overhead. The Python implementation demonstrates LitterBox’s ability to support dynamic languages.

[1]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[2]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[3]  Yutao Liu,et al.  Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation , 2015, CCS.

[4]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[5]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[6]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[7]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[9]  Muli Ben-Yehuda,et al.  CODOMs: Protecting software with Code-centric memory Domains , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[10]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[11]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[12]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[13]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Markus Zimmermann,et al.  Small World with High Risks: A Study of Security Threats in the npm Ecosystem , 2019, USENIX Security Symposium.

[15]  Andrea C. Arpaci-Dusseau,et al.  The True Cost of Containing: A gVisor Case Study , 2019, HotCloud.

[16]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[17]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[18]  Michael M. Swift,et al.  Nooks: an architecture for reliable device drivers , 2002, EW 10.

[19]  Switzerland.,et al.  Enclosures: language-based restriction of untrusted libraries Extended Abstract , 2020 .

[20]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Thierry Marianne Cloud Computing without Containers , 2018 .

[22]  Ashay Rane,et al.  MicroStache: A Lightweight Execution Context for In-Process Safe Region Isolation , 2018, RAID.

[23]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[24]  James R. Larus,et al.  Secured Routines: Language-based Construction of Trusted Execution Environments , 2019, USENIX ATC.

[25]  David M. Eyers,et al.  Glamdring: Automatic Application Partitioning for Intel SGX , 2017, USENIX ATC.

[26]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[27]  Soyeon Park,et al.  libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK) , 2019, USENIX Annual Technical Conference.

[28]  Long Lu,et al.  Shreds: Fine-Grained Execution Units with Private Memory , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Lei Liu,et al.  Chrome Extensions: Threat Analysis and Countermeasures , 2012, NDSS.

[30]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[31]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[32]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[33]  Peter Druschel,et al.  Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[34]  Ahmad-Reza Sadeghi,et al.  JITGuard: Hardening Just-in-time Compilers with SGX , 2017, CCS.

[35]  Robert C. Daley,et al.  The Multics virtual memory , 1972, Commun. ACM.

[36]  Aftab Hussain,et al.  LXDs: Towards Isolation of Kernel Subsystems , 2019, USENIX ATC.

[37]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[38]  Yubin Xia,et al.  Deconstructing Xen , 2017, NDSS.

[39]  Will Dietz,et al.  Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation , 2015, ASPLOS.

[40]  Patrick Th. Eugster,et al.  Enforcing Least Privilege Memory Views for Multithreaded Applications , 2016, CCS.

[41]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[42]  Ahmad-Reza Sadeghi,et al.  IMIX: In-Process Memory Isolation EXtension , 2018, USENIX Security Symposium.