Principles and Implementation Techniques of Software-Based Fault Isolation

When protecting a computer system, it is often necessary to isolate an untrusted component into a separate protection domain and provide only controlled interaction between the domain and the rest of the system. Software-based Fault Isolation (SFI) establishes a logical protection domain by inserting dynamic checks before memory and control-transfer instructions. Compared to other isolation mechanisms, it enjoys the benefits of high efficiency (with less than 5% performance overhead), being readily applicable to legacy native code, and not relying on special hardware or OS support. SFI has been successfully applied in many applications, including isolating OS kernel extensions, isolating plug-ins in browsers, and isolating native libraries in the Java Virtual Machine. In this survey article, we will discuss the SFI policy, its main implementation and optimization techniques, as well as an SFI formalization on an idealized assembly language. Gang Tan (2017), “Principles and Implementation Techniques of Software-Based Fault Isolation”, Foundations and Trends © in Privacy and Secruity: Vol. 1, No. 3, pp 137–198. DOI: 10.1561/3300000013.

[1]  Alan Donovan,et al.  PNaCl : Portable Native Client Executables , 2022 .

[2]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[3]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[4]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[5]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[6]  Louis-Julien Guillemette A type-preserving compiler from system f to typed assembly language , 2009 .

[7]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[8]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[9]  Stephen McCamant A Machine-Checked Safety Proof for a CISC-Compatible SFI Technique , 2006 .

[10]  Trent Jaeger,et al.  PtrSplit: Supporting General Pointers in Automatic Program Partitioning , 2017, CCS.

[11]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[12]  Gang Tan,et al.  JVM-Portable Sandboxing of Java's Native Libraries , 2012, ESORICS.

[13]  G. Danezis,et al.  Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing , 2011 .

[14]  A. Jaleel Memory Characterization of Workloads Using Instrumentation-Driven Simulation A Pin-based Memory Characterization of the SPEC CPU 2000 and SPEC CPU 2006 Benchmark Suites , 2022 .

[15]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[16]  Jun Sun,et al.  Automatically partition software into least privilege components using dynamic data dependency analysis , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[18]  George Candea,et al.  Microreboot - A Technique for Cheap Recovery , 2004, OSDI.

[19]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[20]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[21]  Qin Zhao,et al.  Transparent dynamic instrumentation , 2012, VEE '12.

[22]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[23]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[24]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[25]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[26]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[27]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[28]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[29]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[30]  Jack W. Davidson,et al.  Safe virtual execution using software dynamic translation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[31]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[32]  David A. Wagner,et al.  Fine-grained privilege separation for web applications , 2010, WWW '10.

[33]  Goh Kondoh,et al.  Finding bugs in java native interface programs , 2008, ISSTA '08.

[34]  Gang Tan,et al.  An Empirical Security Study of the Native Code in the JDK , 2008, USENIX Security Symposium.

[35]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[36]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[37]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[38]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[39]  Liang Deng,et al.  ISboxing: An Instruction Substitution Based Data Sandboxing for x86 Untrusted Libraries , 2015, SEC.

[40]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[41]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[42]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[43]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[44]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[45]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[46]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[47]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[48]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[49]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[50]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[51]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[52]  Ben Niu,et al.  Monitor integrity protection with space efficiency and separate compilation , 2013, CCS.

[53]  Úlfar Erlingsson,et al.  Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors , 2013, USENIX Security Symposium.

[54]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[55]  Thomas R. Gross,et al.  Fine-grained user-space security through virtualization , 2011, VEE '11.

[56]  Jeffrey S. Foster,et al.  Checking type safety of foreign function calls , 2008, ACM Trans. Program. Lang. Syst..