[PDF][PDF] Preventing Kernel Hacks with HAKCs.
Commodity operating system kernels remain monolithic for practical and historical reasons.
All kernel code shares a single address space, executes with elevated processor privileges …
All kernel code shares a single address space, executes with elevated processor privileges …
Principles and implementation techniques of software-based fault isolation
G Tan - Foundations and Trends® in Privacy and Security, 2017 - nowpublishers.com
When protecting a computer system, it is often necessary to isolate an untrusted component
into a separate protection domain and provide only controlled interaction between the …
into a separate protection domain and provide only controlled interaction between the …
WaVe: a verifiably secure WebAssembly sandboxing runtime
The promise of software sandboxing is flexible, fast and portable isolation; capturing the
benefits of hardwarebased memory protection without requiring operating system …
benefits of hardwarebased memory protection without requiring operating system …
{Provably-Safe} multilingual software sandboxing using {WebAssembly}
J Bosamiya, WS Lim, B Parno - 31st USENIX Security Symposium …, 2022 - usenix.org
Many applications, from the Web to smart contracts, need to safely execute untrusted code.
We observe that WebAssembly (Wasm) is ideally positioned to support such applications …
We observe that WebAssembly (Wasm) is ideally positioned to support such applications …
{ARCUS}: symbolic root cause analysis of exploits in production systems
End-host runtime monitors (eg, CFI, system call IDS) flag processes in response to
symptoms of a possible attack. Unfortunately, the symptom (eg, invalid control transfer) may …
symptoms of a possible attack. Unfortunately, the symptom (eg, invalid control transfer) may …
Micro-policies: Formally verified, tag-based security monitors
Recent advances in hardware design have demonstrated mechanisms allowing a wide
range of low-level security policies (or micro-policies) to be expressed using rules on …
range of low-level security policies (or micro-policies) to be expressed using rules on …
Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI
Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to
building secure systems out of untrusted components. Mozilla, for example, uses SFI to …
building secure systems out of untrusted components. Mozilla, for example, uses SFI to …
Доверяй, но проверяй: SFI safety for native-compiled Wasm
WebAssembly (Wasm) is a platform-independent bytecode that offers both good
performance and runtime isolation. To implement isolation, the compiler inserts safety …
performance and runtime isolation. To implement isolation, the compiler inserts safety …
When good components go bad: Formally secure compilation despite dynamic compromise
We propose a new formal criterion for evaluating secure compilation schemes for unsafe
languages, expressing end-to-end security guarantees for software components that may …
languages, expressing end-to-end security guarantees for software components that may …
Mitigating information leakage vulnerabilities with type-based data isolation
A Milburn, E Van Der Kouwe… - 2022 IEEE Symposium …, 2022 - ieeexplore.ieee.org
Information leakage vulnerabilities (or simply info leaks) such as out-of-bounds/uninitialized
reads in the architectural or speculative domain pose a significant security threat, allowing …
reads in the architectural or speculative domain pose a significant security threat, allowing …