Portable Software Fault Isolation

We present a new technique for architecture portable software fault isolation (SFI), together with a prototype implementation in the Coq proof assistant. Unlike traditional SFI, which relies on analysis of assembly-level programs, we analyze and rewrite programs in a compiler intermediate language, the Cminor language of the Comp Cert C compiler. But like traditional SFI, the compiler remains outside of the trusted computing base. By composing our program transformer with the verified back-end of Comp Cert and leveraging Comp Cert's formally proved preservation of the behavior of safe programs, we can obtain binary modules that satisfy the SFI memory safety policy for any of Comp Cert's supported architectures (currently: Power PC, ARM, and x86-32). This allows the same SFI analysis to be used across multiple architectures, greatly simplifying the most difficult part of deploying trustworthy SFI systems.

[1]  Jonathan Rees,et al.  Revised3 report on the algorithmic language scheme , 1986, SIGP.

[2]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[3]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[4]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[5]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[6]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[7]  G. Morrisett,et al.  Cyclone : A Type-Safe Dialect of C ∗ , 2004 .

[8]  D. H. Bartley,et al.  Revised4 report on the algorithmic language scheme , 1991, LIPO.

[9]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[10]  Andrew W. Appel,et al.  The CompCert memory model , 2014 .

[11]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[12]  Milo M. K. Martin,et al.  Formalizing the LLVM intermediate representation for verified program transformations , 2012, POPL '12.

[13]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[14]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[15]  J. Gregory Morrisett,et al.  Combining control-flow integrity and static analysis for efficient and validated data sandboxing , 2011, CCS '11.

[16]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[17]  Margo I. Seltzer,et al.  MiSFIT: constructing safe extensible systems , 1998, IEEE Concurr..

[18]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[19]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[20]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[21]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[22]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[23]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[24]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[25]  Joshua A. Kroll BakerSFIeld : Bringing software fault isolation to x 64 , 2014 .

[26]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[27]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[28]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[29]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[30]  Raphael C.-W. Phan Review of Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition by Ross J. Anderson , 2009, Cryptologia.

[31]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[32]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[33]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[34]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[35]  Andrew McCreight,et al.  A certified framework for compiling and executing garbage-collected languages , 2010, ICFP '10.

[36]  Jochen Liedtke,et al.  Improved Address-Space Switching on Pentium Processors by Transparently Multiplexing User Address Sp , 1995 .

[37]  T. Chiueh,et al.  Integrating segmentation and paging protection for safe, efficient and transparent software extensions , 2000, OPSR.

[38]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[39]  Karl Crary,et al.  From system F to typed assembly language , 1999 .

[40]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[41]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[42]  Stephen McCamant A Machine-Checked Safety Proof for a CISC-Compatible SFI Technique , 2006 .

[43]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[44]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.