RockSalt: better, faster, stronger SFI for the x86

Software-based fault isolation (SFI), as used in Google's Native Client (NaCl), relies upon a conceptually simple machine-code analysis to enforce a security policy. But for complicated architectures such as the x86, it is all too easy to get the details of the analysis wrong. We have built a new checker that is smaller, faster, and has a much reduced trusted computing base when compared to Google's original analysis. The key to our approach is automatically generating the bulk of the analysis from a declarative description which we relate to a formal model of a subset of the x86 instruction set architecture. The x86 model, developed in Coq, is of independent interest and should be usable for a wide range of machine-level verification tasks.

[1]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[2]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[3]  David Darais,et al.  Parsing with derivatives: a functional pearl , 2011, ICFP.

[4]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[5]  Tom Ridge,et al.  The semantics of x86-CC multiprocessor machine code , 2009, POPL '09.

[6]  Lorenzo Martignoni,et al.  Testing CPU emulators , 2009, ISSTA.

[7]  Nelma Moreira,et al.  Partial Derivative Automata Formalized in Coq , 2010, CIAA.

[8]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[9]  Norman Ramsey,et al.  Specifying representations of machine instructions , 1997, TOPL.

[10]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[11]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[12]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[13]  Sandip Ray Towards a Formalization of the X86 Instruction Set Architecture , 2008 .

[14]  David Cock Lyrebird - Assigning Meanings to Machines , 2010, SSV.

[15]  Francesco Zappa Nardelli,et al.  Lem: A Lightweight Tool for Heavyweight Semantics , 2011, ITP.

[16]  Sol Swords,et al.  Centaur Technology Media Unit Verification , 2009, CAV.

[17]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[18]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[19]  Andrew W. Appel,et al.  Machine Instruction Syntax and Semantics in Higher Order Logic , 2000, CADE.

[20]  Norman Ramsey,et al.  Automatically generating instruction selectors using declarative machine descriptions , 2010, POPL '10.

[21]  Adam Chlipala,et al.  A verified compiler for an impure functional language , 2010, POPL '10.

[22]  Michael Norrish,et al.  Verified, Executable Parsing , 2009, ESOP.

[23]  Aaron Turon,et al.  Regular-expression derivatives re-examined , 2009, Journal of Functional Programming.

[24]  Jack W. Davidson,et al.  Machine Descriptions to Build Tools for Embedded Systems , 1998, LCTES.

[25]  Francesco Zappa Nardelli,et al.  The semantics of power and ARM multiprocessor machine code , 2009, DAMP '09.

[26]  Janusz A. Brzozowski,et al.  Derivatives of Regular Expressions , 1964, JACM.

[27]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[28]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[29]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[30]  Joshua A. Kroll BakerSFIeld : Bringing software fault isolation to x 64 , 2014 .

[31]  Xavier Leroy,et al.  Validating LR(1) Parsers , 2012, ESOP.

[32]  Thomas Reps,et al.  Transformer specification language: a system for generating analyzers and its applications , 2011 .