Abstract
When dealing with dynamic, untrusted content, such as on the Web, software behavior must be sandboxed, typically through use of a language like JavaScript. However, even for such specially-designed languages, it is difficult to ensure the safety of highly-optimized, dynamic language runtimes which, for efficiency, rely on advanced techniques such as Just-In-Time (JIT) compilation, large libraries of native-code support routines, and intricate mechanisms for multi-threading and garbage collection. Each new runtime provides a new potential attack surface and this security risk raises a barrier to the adoption of new languages for creating untrusted content.
Removing this limitation, this paper introduces general mechanisms for safely and efficiently sandboxing software, such as dynamic language runtimes, that make use of advanced, low-level techniques like runtime code modification. Our language-independent sandboxing builds on Software-based Fault Isolation (SFI), a traditionally static technique. We provide a more flexible form of SFI by adding new constraints and mechanisms that allow safety to be guaranteed despite runtime code modifications.
We have added our extensions to both the x86-32 and x86-64 variants of a production-quality, SFI-based sandboxing platform; on those two architectures SFI mechanisms face different challenges. We have also ported two representative language platforms to our extended sandbox: the Mono common language runtime and the V8 JavaScript engine. In detailed evaluations, we find that sandboxing slowdown varies between different benchmarks, languages, and hardware platforms. Overheads are generally moderate and they are close to zero for some important benchmark/platform combinations.
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-Flow Integrity: Principles, implementations, and applications. TISSEC, 2009. Google Scholar
Digital Library
- Matthew Arnold and Barbara G. Ryder. A framework for reducing the cost of instrumented code. In PLDI, 2001. Google Scholar
Digital Library
- John Aycock. A brief history of just-in-time. CSUR, 2003. Google Scholar
Digital Library
- A. Barth, C. Jackson, C. Reis, and Google Chrome Team. The security architecture of the chromium browser. Technical report, Stanford University, 2008. URL http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf.Google Scholar
- R. S. Barton. A new approach to the functional design of a digital computer. In IRE-AIEE-ACM (Western), 1961. Google Scholar
Digital Library
- Mark Barwinski, Cynthia Irvine, and Tim Levin. Empirical study of drive-by-download spyware. Technical report, Naval Postgraduate School, 2006.Google Scholar
- B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility safety and performance in the spin operating system. In SOSP, 1995. Google Scholar
Digital Library
- Hongxu Cai, Zhong Shao, and Alexander Vaynberg. Certified self-modifying code. In Proc. PLDI '07, 2007. Google Scholar
Digital Library
- Benjamin Canou, Vincent Balat, and Emmanuel Chailloux. O'Browser: Objective Caml on browsers. In Workshop on ML, 2008. Google Scholar
Digital Library
- Bryan M. Cantrill, Michael W. Shapiro, and Adam H. Leventhal. Dynamic instrumentation of production systems. In ATC, 2004. Google Scholar
Digital Library
- Miguel Castro, Manuel Costa, and Tim Harris. Securing software by enforcing data-flow integrity. In OSDI, 2006. Google Scholar
Digital Library
- Miguel Castro, Manuel Costa, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, and Richard Black. Fast byte-granularity software fault isolation. In SOSP, 2009. Google Scholar
Digital Library
- Blazakis D. Interpreter exploitation: Pointer inference and JIT spraying. In Black Hat DC, 2010.Google Scholar
- P. Deutsch and C. A. Grant. A flexible measurement tool for software systems. In IFIP, 1971.Google Scholar
- Peter Deutsch and Allan Schiffman. Efficient implementation of the Smalltalk-80 system. In POPL, 1984. Google Scholar
Digital Library
- ECMA, 2001. URL http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-327.pdf.Google Scholar
- Manuel Egele, Engin Kirda, and Christopher Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In iNetSec 2009 -- Open Research Problems in Network Security, 2009.Google Scholar
- Ú. Erlingsson and Fred B. Schneider. SASI enforcement of security policies: A retrospective. In NSPW, 1999. Google Scholar
Digital Library
- Úlfar Erlingsson. High-performance binary applets, 1997. URL http://www.cs.cornell.edu/home/ulfar/cuba/paper.Google Scholar
- Úlfar Erlingsson, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. Xfi: software guards for system address spaces. In OSDI, 2006. Google Scholar
Digital Library
- M. Anton Ertl, David Gregg, Andreas Krall, and Bernd Paysan. Vmgen: a generator of efficient virtual machine interpreters. Software: Practice and Experience, 2002. Google Scholar
Digital Library
- Philip J. Fleming and John J. Wallace. How not to lie with statistics: the correct way to summarize benchmark results. CACM, 1986. Google Scholar
Digital Library
- Jonathon T. Giffin, Mihai Christodorescu, and Louis Kruger. Strengthening software self-checksumming via self-modifying code. In ACSAC, 2005. Google Scholar
Digital Library
- Advance Micro Devices Inc. Software Optimization Guide for AMD64 Processors, 2005.Google Scholar
- Advance Micro Devices Inc. AMD64 Architecture Programmers Manual Volume 1: Application Programming, 2009.Google Scholar
- Google Inc. Google web toolkit. URL http://code.google.com/webtoolkit.Google Scholar
- Google Inc. The V8 JavaScript engine. URL http://code.google.com/p/v8.Google Scholar
- Intel Inc. Intel 64 and IA-32 Architectures Software Developers Manual Volume 3A: System Programming Guide, Part 1, 2010.Google Scholar
- Yuichiro Kanzaki, Akito Monden, Masahide Nakamura, and Ken-ichi Matsumoto. Exploiting self-modification mechanism for program protection. In COMPSAC, 2003. Google Scholar
Digital Library
- T. Lindholm and F Yellin. The Java Virtual Machine Specification. Addison-Wesley, 1996. Google Scholar
Digital Library
- Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI, 2005. Google Scholar
Digital Library
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Usenix Security, 2006. Google Scholar
Digital Library
- John McCarthy. Recursive functions of symbolic expressions and their computation by machine, part i. CACM, 1960. Google Scholar
Digital Library
- Kevin Millikin and Florian Schneider, 2010. URL http://blog.chromium.org/2010/12/new-crankshaft-for-v8.html.Google Scholar
- G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. In POPL, 1998. Google Scholar
Digital Library
- Magnus O. Myreen. Verified just-in-time compiler on x86. In Proc. of POPL'10, 2010. Google Scholar
Digital Library
- George C. Necula. Proof-carrying code. In Proc. of POPL'97, 1997. Google Scholar
Digital Library
- James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google Scholar
- Thi Viet Nga Nguyen and François Irigoin. Efficient and effective array bound checking. TOPLAS, 2005. Google Scholar
Digital Library
- Department of Defense. Trusted computer system evaluation criteria (orange book), 1985.Google Scholar
- The Mono Project. The Mono language runtime. URL http://www.mono-project.com.Google Scholar
- Charles Reis and Steven D. Gribble. Isolating web programs in modern browser architectures. In Proc. 4th ACM European conf. on Computer systems, EuroSys '09, pages 219--232, New York, NY, USA, 2009. ACM. http://doi.acm.org/10.1145/1519065.1519090. Google Scholar
Digital Library
- Theodore H. Romer, Dennis Lee, Geoffrey M. Voelker, Alec Wolman, Wayne A. Wong, Jean-Loup Baer, Brian N. Bershad, and Henry M. Levy. The structure and performance of interpreters. In ASPLOS, 1996. Google Scholar
Digital Library
- David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. Adapting software fault isolation to contemporary cpu architectures. In USENIX Security, 2010. Google Scholar
Digital Library
- Joseph Siefers, Gang Tan, and Greg Morrisett. Robusta: taming the native beast of the jvm. In CCS, 2010. Google Scholar
Digital Library
- C. Small and M. I. Seltzer. MiSFIT: Constructing safe extensible systems. IEEE Concurrency: Parallel, Distributed and Mobile Computing, 1998. Google Scholar
Digital Library
- Fred Smith, Dan Grossman, Greg Morrisett, Luke Hornoff, and Trevor Jim. Compiling for template-based runtime code generation. J. of Functional Programming, 13 (3), 2003. Google Scholar
Digital Library
- Michael F. Spear. Lightweight, robust adaptivity for software transactional memory. In SPAA, 2010. Google Scholar
Digital Library
- Vijay Sundaresan, Daryl Maier, Pramod Ramarao, and Mark Stoodley. Experiences with multi-threading and dynamic class loading in a java just-in-time compiler. In CGO, 2006. Google Scholar
Digital Library
- SunSpider Benchmark Suite. URL http://www2.webkit.org/perf/sunspider/sunspider.html.Google Scholar
- Michael M. Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. TOCS, 2005. Google Scholar
Digital Library
- The perfmon2 hardware-based performance monitoring interface for Linux. URL http://perfmon2.sourceforge.net.Google Scholar
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google Scholar
Digital Library
- Robert Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. Capsicum: practical capabilities for unix. In USENIX Security, 2010. Google Scholar
Digital Library
- Tao Wei, Tielei Wang, Lei Duan, and Jing Luo. Secure dynamic code generation against spraying. In CCS, 2010. Google Scholar
Digital Library
- Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Orm, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, 2009. Google Scholar
Digital Library
Index Terms
Language-independent sandboxing of just-in-time compilation and self-modifying code
Recommendations
Language-independent sandboxing of just-in-time compilation and self-modifying code
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationWhen dealing with dynamic, untrusted content, such as on the Web, software behavior must be sandboxed, typically through use of a language like JavaScript. However, even for such specially-designed languages, it is difficult to ensure the safety of ...
Generalized just-in-time trace compilation using a parallel task farm in a dynamic binary translator
PLDI '11Dynamic Binary Translation (DBT) is the key technology behind cross-platform virtualization and allows software compiled for one Instruction Set Architecture (ISA) to be executed on a processor supporting a different ISA. Under the hood, DBT is ...
Compiling Embedded Programs to Byte Code
PADL '02: Proceedings of the 4th International Symposium on Practical Aspects of Declarative LanguagesFunctional languages have proven substantially useful for hosting embedded domain-specific languages. They provide an infrastructure rich enough to define both a convenient syntax for the embedded language, a type system for embedded programs, and an ...







Comments