作者
Stephen McCamant, Greg Morrisett
发表日期
2006/8/2
期刊
USENIX Security Symposium
卷号
10
页码范围
209-224
简介
Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.
引用总数
20062007200820092010201120122013201420152016201720182019202020212022202320247381111162428223230192115151514133
学术搜索中的文章
S McCamant, G Morrisett - USENIX Security Symposium, 2006