Evaluating SFI for a CISC Architecture

Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or "sandboxing" enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

[1]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[2]  Jack W. Davidson,et al.  Safe virtual execution using software dynamic translation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[3]  Stephen McCamant,et al.  Efficient, Verifiable Binary Sandboxing for a CISC Architecture , 2005 .

[4]  Martín Abadi,et al.  A Theory of Secure Control Flow , 2005, ICFEM.

[5]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[6]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[7]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[8]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[9]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[10]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[11]  Daniel C. DuVarney,et al.  SELF: a transparent security extension for ELF binaries , 2003, NSPW '03.

[12]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[13]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[14]  Manuel M. T. Chakravarty,et al.  Secure Untrusted Binaries - Provably! , 2005, Formal Aspects in Security and Trust.

[15]  Stephen McCamant A Machine-Checked Safety Proof for a CISC-Compatible SFI Technique , 2006 .

[16]  Robert Wahbe,et al.  Efficient and language-independent mobile programs , 1996, PLDI '96.

[17]  J. Strother Moore,et al.  An Industrial Strength Theorem Prover for a Logic Based on Common Lisp , 1997, IEEE Trans. Software Eng..

[18]  Bryan Ford VXA: a virtual architecture for durable compressed archives , 2005, FAST'05.

[19]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[20]  Peter Deutsch,et al.  A Flexible Measurement Tool for Software Systems , 1971, IFIP Congress.

[21]  Andrew W. Appel Foundational proof-carrying code , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[23]  Michael Franz,et al.  A Denial of Service Attack on the Java Bytecode Verifier , 2003 .

[24]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[25]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[26]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.