Portable Software Fault Isolation

Kroll, Joshua A.; Stewart, Gordon; Appel, Andrew W.

doi:10.1109/csf.2014.10

Cited by 14 publications

(19 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A semantically equivalent but syntactically different code sequence would be rejected. An alternative to the a posteriori binary verifier approach is Portable Software Fault Isolation (PSFI), proposed by Kroll et al [16]. In this methodology, there is no verifier to trust.…”

Section: Software Fault Isolation Through Compilationmentioning

confidence: 99%

See 1 more Smart Citation

Compiling Sandboxes: Formally Verified Software Fault Isolation

Besson

Blazy

Dang

et al. 2019

Programming Languages and Systems

View full text Add to dashboard Cite

Software Fault Isolation (SFI) is a security-enhancing program transformation for instrumenting an untrusted binary module so that it runs inside a dedicated isolated address space, called a sandbox. To ensure that the untrusted module cannot escape its sandbox, existing approaches such as Google's Native Client rely on a binary verifier to check that all memory accesses are within the sandbox. Instead of relying on a posteriori verification, we design, implement and prove correct a program instrumentation phase as part of the formally verified compiler CompCert that enforces a sandboxing security property a priori. This eliminates the need for a binary verifier and, instead, leverages the soundness proof of the compiler to prove the security of the sandboxing transformation. The technical contributions are a novel sandboxing transformation that has a well-defined C semantics and which supports arbitrary function pointers, and a formally verified C compiler that implements SFI. Experiments show that our formally verified technique is a competitive way of implementing SFI.

show abstract

Section: Software Fault Isolation Through Compilationmentioning

confidence: 99%

“…This section presents background information about the CompCert compiler [18] and the Portable Software Fault Isolation proposed by Kroll et al [16].…”

Section: Introductionmentioning

confidence: 99%

Compiling Sandboxes: Formally Verified Software Fault Isolation

Besson

Blazy

Dang

et al. 2019

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Verifying correct low-level compartmentalization Recent work focused on formally verifying the correctness of lowlevel compartmentalization mechanisms based on software fault isolation [42], [49], [73] or tagged hardware [12]. That work, however, only considers the correctness of the lowlevel compartmentalization mechanism, not the compiler and not high-level security properties and reasoning principles for code written in a programming language with components.…”

Section: Related Workmentioning

confidence: 99%

“…When used as a defense mechanism against memory unsafety, compartmentalization is often achieved via cooperation between a compiler and a low-level compartmentalization mechanism [16], [33], [39], [42], [61], [70], [72]. In this paper we use compartmentalizing compilation to refer to cooperative implementations of this sort.…”

Section: Introductionmentioning

confidence: 99%

Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation

Juglaret

Hriţcu²,

Amorim

et al. 2016

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

International audienceCompartmentalization is good security-engineering practice. By breaking a large software system into mutually distrustful components that run with minimal privileges, restricting their interactions to conform to well-defined interfaces, we can limit the damage caused by low-level attacks such as control-flow hijacking. When used to defend against such attacks, compartmentalization is often implemented cooperatively by a compiler and a low-level compartmentalization mechanism. However, the formal guarantees provided by such compartmentalizing compilation have seen surprisingly little investigation. We propose a new security property, secure compartmentalizing compilation (SCC), that formally characterizes the guarantees provided by compartmentalizing compilation and clarifies its attacker model. We reconstruct our property by starting from the well-established notion of fully abstract compilation, then identifying and lifting three important limitations that make standard full abstraction unsuitable for compartmentalization. The connection to full abstraction allows us to prove SCC by adapting established proof techniques; we illustrate this with a compiler from a simple unsafe imperative language with procedures to a compartmentalized abstract machine

show abstract

“…There are several verified SFI systems, including ARMor [89], RockSalt [63], and a portable one by Kroll et al [54]. Our compartmentalization model is based on Wahbe et al's original SFI work [84] but differs from it in several ways.…”

Section: Compartmentalization Micro-policymentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

Portable Software Fault Isolation

Cited by 14 publications

References 36 publications

Compiling Sandboxes: Formally Verified Software Fault Isolation

Compiling Sandboxes: Formally Verified Software Fault Isolation

Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Contact Info

Product

Resources

About