skip to main content
research-article

Language-independent sandboxing of just-in-time compilation and self-modifying code

Published:04 June 2011Publication History
Skip Abstract Section

Abstract

When dealing with dynamic, untrusted content, such as on the Web, software behavior must be sandboxed, typically through use of a language like JavaScript. However, even for such specially-designed languages, it is difficult to ensure the safety of highly-optimized, dynamic language runtimes which, for efficiency, rely on advanced techniques such as Just-In-Time (JIT) compilation, large libraries of native-code support routines, and intricate mechanisms for multi-threading and garbage collection. Each new runtime provides a new potential attack surface and this security risk raises a barrier to the adoption of new languages for creating untrusted content.

Removing this limitation, this paper introduces general mechanisms for safely and efficiently sandboxing software, such as dynamic language runtimes, that make use of advanced, low-level techniques like runtime code modification. Our language-independent sandboxing builds on Software-based Fault Isolation (SFI), a traditionally static technique. We provide a more flexible form of SFI by adding new constraints and mechanisms that allow safety to be guaranteed despite runtime code modifications.

We have added our extensions to both the x86-32 and x86-64 variants of a production-quality, SFI-based sandboxing platform; on those two architectures SFI mechanisms face different challenges. We have also ported two representative language platforms to our extended sandbox: the Mono common language runtime and the V8 JavaScript engine. In detailed evaluations, we find that sandboxing slowdown varies between different benchmarks, languages, and hardware platforms. Overheads are generally moderate and they are close to zero for some important benchmark/platform combinations.

References

  1. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-Flow Integrity: Principles, implementations, and applications. TISSEC, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Matthew Arnold and Barbara G. Ryder. A framework for reducing the cost of instrumented code. In PLDI, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. John Aycock. A brief history of just-in-time. CSUR, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. A. Barth, C. Jackson, C. Reis, and Google Chrome Team. The security architecture of the chromium browser. Technical report, Stanford University, 2008. URL http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf.Google ScholarGoogle Scholar
  5. R. S. Barton. A new approach to the functional design of a digital computer. In IRE-AIEE-ACM (Western), 1961. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Mark Barwinski, Cynthia Irvine, and Tim Levin. Empirical study of drive-by-download spyware. Technical report, Naval Postgraduate School, 2006.Google ScholarGoogle Scholar
  7. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility safety and performance in the spin operating system. In SOSP, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Hongxu Cai, Zhong Shao, and Alexander Vaynberg. Certified self-modifying code. In Proc. PLDI '07, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Benjamin Canou, Vincent Balat, and Emmanuel Chailloux. O'Browser: Objective Caml on browsers. In Workshop on ML, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Bryan M. Cantrill, Michael W. Shapiro, and Adam H. Leventhal. Dynamic instrumentation of production systems. In ATC, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Miguel Castro, Manuel Costa, and Tim Harris. Securing software by enforcing data-flow integrity. In OSDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Miguel Castro, Manuel Costa, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, and Richard Black. Fast byte-granularity software fault isolation. In SOSP, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Blazakis D. Interpreter exploitation: Pointer inference and JIT spraying. In Black Hat DC, 2010.Google ScholarGoogle Scholar
  14. P. Deutsch and C. A. Grant. A flexible measurement tool for software systems. In IFIP, 1971.Google ScholarGoogle Scholar
  15. Peter Deutsch and Allan Schiffman. Efficient implementation of the Smalltalk-80 system. In POPL, 1984. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. ECMA, 2001. URL http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-327.pdf.Google ScholarGoogle Scholar
  17. Manuel Egele, Engin Kirda, and Christopher Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In iNetSec 2009 -- Open Research Problems in Network Security, 2009.Google ScholarGoogle Scholar
  18. Ú. Erlingsson and Fred B. Schneider. SASI enforcement of security policies: A retrospective. In NSPW, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Úlfar Erlingsson. High-performance binary applets, 1997. URL http://www.cs.cornell.edu/home/ulfar/cuba/paper.Google ScholarGoogle Scholar
  20. Úlfar Erlingsson, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. Xfi: software guards for system address spaces. In OSDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. Anton Ertl, David Gregg, Andreas Krall, and Bernd Paysan. Vmgen: a generator of efficient virtual machine interpreters. Software: Practice and Experience, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Philip J. Fleming and John J. Wallace. How not to lie with statistics: the correct way to summarize benchmark results. CACM, 1986. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Jonathon T. Giffin, Mihai Christodorescu, and Louis Kruger. Strengthening software self-checksumming via self-modifying code. In ACSAC, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Advance Micro Devices Inc. Software Optimization Guide for AMD64 Processors, 2005.Google ScholarGoogle Scholar
  25. Advance Micro Devices Inc. AMD64 Architecture Programmers Manual Volume 1: Application Programming, 2009.Google ScholarGoogle Scholar
  26. Google Inc. Google web toolkit. URL http://code.google.com/webtoolkit.Google ScholarGoogle Scholar
  27. Google Inc. The V8 JavaScript engine. URL http://code.google.com/p/v8.Google ScholarGoogle Scholar
  28. Intel Inc. Intel 64 and IA-32 Architectures Software Developers Manual Volume 3A: System Programming Guide, Part 1, 2010.Google ScholarGoogle Scholar
  29. Yuichiro Kanzaki, Akito Monden, Masahide Nakamura, and Ken-ichi Matsumoto. Exploiting self-modification mechanism for program protection. In COMPSAC, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. T. Lindholm and F Yellin. The Java Virtual Machine Specification. Addison-Wesley, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Usenix Security, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. John McCarthy. Recursive functions of symbolic expressions and their computation by machine, part i. CACM, 1960. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Kevin Millikin and Florian Schneider, 2010. URL http://blog.chromium.org/2010/12/new-crankshaft-for-v8.html.Google ScholarGoogle Scholar
  35. G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. In POPL, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Magnus O. Myreen. Verified just-in-time compiler on x86. In Proc. of POPL'10, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. George C. Necula. Proof-carrying code. In Proc. of POPL'97, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google ScholarGoogle Scholar
  39. Thi Viet Nga Nguyen and François Irigoin. Efficient and effective array bound checking. TOPLAS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Department of Defense. Trusted computer system evaluation criteria (orange book), 1985.Google ScholarGoogle Scholar
  41. The Mono Project. The Mono language runtime. URL http://www.mono-project.com.Google ScholarGoogle Scholar
  42. Charles Reis and Steven D. Gribble. Isolating web programs in modern browser architectures. In Proc. 4th ACM European conf. on Computer systems, EuroSys '09, pages 219--232, New York, NY, USA, 2009. ACM. http://doi.acm.org/10.1145/1519065.1519090. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Theodore H. Romer, Dennis Lee, Geoffrey M. Voelker, Alec Wolman, Wayne A. Wong, Jean-Loup Baer, Brian N. Bershad, and Henry M. Levy. The structure and performance of interpreters. In ASPLOS, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. Adapting software fault isolation to contemporary cpu architectures. In USENIX Security, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Joseph Siefers, Gang Tan, and Greg Morrisett. Robusta: taming the native beast of the jvm. In CCS, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. C. Small and M. I. Seltzer. MiSFIT: Constructing safe extensible systems. IEEE Concurrency: Parallel, Distributed and Mobile Computing, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Fred Smith, Dan Grossman, Greg Morrisett, Luke Hornoff, and Trevor Jim. Compiling for template-based runtime code generation. J. of Functional Programming, 13 (3), 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Michael F. Spear. Lightweight, robust adaptivity for software transactional memory. In SPAA, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Vijay Sundaresan, Daryl Maier, Pramod Ramarao, and Mark Stoodley. Experiences with multi-threading and dynamic class loading in a java just-in-time compiler. In CGO, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. SunSpider Benchmark Suite. URL http://www2.webkit.org/perf/sunspider/sunspider.html.Google ScholarGoogle Scholar
  51. Michael M. Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. TOCS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. The perfmon2 hardware-based performance monitoring interface for Linux. URL http://perfmon2.sourceforge.net.Google ScholarGoogle Scholar
  53. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Robert Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. Capsicum: practical capabilities for unix. In USENIX Security, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Tao Wei, Tielei Wang, Lei Duan, and Jing Luo. Secure dynamic code generation against spraying. In CCS, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Orm, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Language-independent sandboxing of just-in-time compilation and self-modifying code

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 46, Issue 6
      PLDI '11
      June 2011
      652 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/1993316
      Issue’s Table of Contents
      • cover image ACM Conferences
        PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation
        June 2011
        668 pages
        ISBN:9781450306638
        DOI:10.1145/1993498
        • General Chair:
        • Mary Hall,
        • Program Chair:
        • David Padua

      Copyright © 2011 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 4 June 2011

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!