DOCSLIB.ORG

Sealing OS Processes to Improve Dependability and Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sealing OS Processes to Improve Dependability and Security Sealing OS Processes to Improve Dependability and Safety Galen Hunt, Mark Aiken, Manuel Fähndrich, Chris Hawblitzel, Orion Hodson, James Larus, Steven Levi, Bjarne Steensgaard, David Tarditi, and Ted Wobber Microsoft Research One Microsoft Way Redmond, WA 98052 USA [email protected] ABSTRACT General Terms In most modern operating systems, a process is a Design, Reliability, Experimentation. hardware-protected abstraction for isolating code and data. This protection, however, is selective. Many common Keywords mechanisms—dynamic code loading, run-time code Open process architecture, sealed process architecture, sealed generation, shared memory, and intrusive system APIs— kernel, software isolated process (SIP). make the barrier between processes very permeable. This paper argues that this traditional open process architecture 1. INTRODUCTION exacerbates the dependability and security weaknesses of Processes debuted, circa 1965, as a recognized operating modern systems. system abstraction in Multics [48]. Multics pioneered As a remedy, this paper proposes a sealed process many attributes of modern processes: OS-supported architecture, which prohibits dynamic code loading, self- dynamic code loading, run-time code generation, cross- modifying code, shared memory, and limits the scope of process shared memory, and an intrusive kernel API that the process API. This paper describes the implementation permitted one process to modify directly the state of of the sealed process architecture in the Singularity another process. operating system, discusses its merits and drawbacks, and Today, this architecture—which we call the open process evaluates its effectiveness. Some benefits of this sealed architecture—is nearly universal. Although aspects of this process architecture are: improved program analysis by architecture, such as dynamic code loading and shared tools, stronger security and safety guarantees, elimination memory, were not in Multics’ immediate successors (early of redundant overlaps between the OS and language versions of UNIX [35] or early PC operating systems), runtimes, and improved software engineering. today’s systems, such as FreeBSD, Linux, Solaris, and Conventional wisdom says open processes are required for Windows, embrace all four attributes of the open process performance; our experience suggests otherwise. We architecture. present the first macrobenchmarks for a sealed-process The open process architecture is commonly used to extend operating system and applications. The benchmarks show an OS or application by dynamically loading new features that an experimental sealed-process system can achieve and functionality directly into a kernel or running process. performance competitive with highly-tuned, commercial, For example, Microsoft Windows supports over 100,000 open-process systems. third-party, in-kernel modules ranging in functionality Categories and Subject Descriptors from device drivers to anti-virus scanners. Dynamically D.2.3 [Software Engineering] Coding Tools and Techniques; loaded extensions are also widely used as web server D.2.4 [Software Engineering] Software/Program Verification; extensions (e.g., ISAPI extensions for Microsoft’s IIS or D.4.1 [Operating Systems]: Process Management; D.4.5 modules for Apache), stored procedures in databases, [Operating Systems]: Reliability; D.4.6 [Operating Systems]: email virus scanners, web browser plug-ins, application Organization and Design; D.4.7 [Operating Systems]: Security plug-ins, shell extensions, etc. While the role of open and Protection. processes in Windows is widely recognized, like any versatile technology they are widely use in other systems Permission to make digital or hard copies of part or all of this work for as well [10, 42]. personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy 1.1. Problems with Open Processes otherwise, to republish, to post on servers, or to redistribute to lists, Systems that support open processes almost always requires prior specific permission and/or a fee. EuroSys’07, March 21–23, 2007, Lisbon, Portugal. implement process isolation through hardware mechanisms Copyright 2007 ACM 978-1-59593-636-3/07/0003 such as memory management protection and differentiated user and kernel instructions [37]. These mechanisms are We can draw an instructive analogy between sealed not free, and their cost is a major motivation for open processes and sealed classes in object-oriented languages. processes. In Aiken et al. [2], we measured hardware Experience with programming languages has shown that isolation costs ranging from 2.5% (in a compute-bound class designers and implementers need mechanisms to task with no paging) to 33% (in an IPC-bound task). This limit class extension and to force extensions to use overhead arises from page table management and cache declared interfaces, in order to enforce a software and TLB misses. architecture and reduce implementation errors [7]. Similarly, sealed processes offer application developers Developers avoid the performance overhead of hardware explicit and enforceable interfaces for extensions. protection by using the open process architecture to closely couple software components. Software components Dynamic code loading also imposes less visible penalties located in a common process can communicate through on performance and correctness. A host program that can shared data structures and use simple mechanisms, such as load code is an open environment in which it is difficult to procedure calls, to transfer control. These mechanisms are make sound assumptions about states, invariants, or valid particularly attractive because programming languages transitions. Consider, for example, the Java Virtual provide far richer data and control structures within a Machine (JVM). An interrupt, exception, or thread switch process than between processes. can invoke code that loads a new file, overwrites class and method bodies, and modifies global state to change code Not surprisingly, the open process architecture has semantics [41]. This possibility either limits permissible drawbacks. In particular, eliminating the isolation between compiler optimizations or requires extensive run-time a host process and an extension is a major source of support to recompile affected code. software reliability, security, and compatibility problems. Although extensions are rarely trusted, verified, or fully In addition, static program analysis, which underlies both correct, they are routinely loaded directly into a host kernel compiler optimizations and static defect detection, is or process, with no hard interface or boundary between complicated by open processes. A code extension must be host and extension. The outcome is often unpleasant. For analyzed in the context of its host environment, which can example, Swift reports that faulty device drivers cause be complicated and expensive to specify and model [4]. 85% of diagnosed Windows system crashes [43]. The host itself cannot be fully or accurately analyzed Unpublished data from Microsoft Online Crash Analysis without complete specification of extensions’ behavior. To tools shows that in-process extensions are an important be practical, defect detection tools make assumptions source of failure in many software products, including about absent code that reduce the quality of their results. Windows, Word, Outlook, Exchange, and Internet Explorer. Results from a static analysis survey [9] suggest 1.2. Contributions that in-process and in-kernel extensions are a major source This paper defines a new sealed process architecture that of errors in open source code as well. addresses many shortcomings of the open process architecture. We describe the implementation and our early Open processes also weaken enforcement of security experience with a sealed process system. We present the policies. Few, if any, operating systems provide a strong first macrobenchmark results showing that a sealed- guarantee of application identity or include applications as process system can have performance competitive with principals in access control decisions. The complete code open-process systems even when the sealed-process running in an open process cannot be known a priori, so system is written in a safe language with garbage an access control decision based on the identity of the collection. We also present an analysis of the costs of program started in the process would be suspect. Instead, trade-offs of moving a major software component, the most systems control access to data based on the identity register allocator of a compiler, to a child process. of an authenticated user [51]. With the sealed process architecture, the OS ensures that In practice, the open process architecture also impairs code in a process cannot be altered once the process starts software engineering. An extension gains unrestrained executing. The system prohibits dynamic code loading, access to its host’s memory. Extensions can, and self-modifying code, cross-process sharing of memory, frequently do, reach inside their host’s implementation to and provides a process-limited kernel API. access private data structures or functions. These undocumented and unwanted dependencies constrain the Sealed processes offer many advantages. They increase the evolution of the host program and require software ability of program analysis tools to improve
Load more

Recommended publications
  • Draft SP 800-125A Rev. 1, Security Recommendations for Server
    The attached DRAFT document (provided here for historical purposes), released on April 11, 2018, has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-125A Rev. 1 Title: Security Recommendations for Server-based Hypervisor Platforms Publication Date: June 2018 • Final Publication: https://doi.org/10.6028/NIST.SP.800-125Ar1 (which links to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125Ar1.pdf). • Related Information on CSRC: Final: https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final 1 Draft NIST Special Publication 800-125A 2 Revision 1 3 4 Security Recommendations for 5 Hypervisor Deployment on 6 ServersServer-based Hypervisor 7 Platforms 8 9 10 11 12 Ramaswamy Chandramouli 13 14 15 16 17 18 19 20 21 22 23 C O M P U T E R S E C U R I T Y 24 25 Draft NIST Special Publication 800-125A 26 Revision 1 27 28 29 30 Security Recommendations for 31 Server-based Hypervisor Platforms 32 33 Hypervisor Deployment on Servers 34 35 36 37 Ramaswamy Chandramouli 38 Computer Security Division 39 Information Technology Laboratory 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 April 2018 56 57 58 59 60 61 U.S. Department of Commerce 62 Wilbur L. Ross, Jr., Secretary 63 64 National Institute of Standards and Technology 65 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 66 67 Authority 68 69 This publication has been developed by NIST in accordance with its statutory responsibilities under the 70 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.
    [Show full text]
  • Ebook - Informations About Operating Systems Version: August 15, 2006 | Download
    eBook - Informations about Operating Systems Version: August 15, 2006 | Download: www.operating-system.org AIX Internet: AIX AmigaOS Internet: AmigaOS AtheOS Internet: AtheOS BeIA Internet: BeIA BeOS Internet: BeOS BSDi Internet: BSDi CP/M Internet: CP/M Darwin Internet: Darwin EPOC Internet: EPOC FreeBSD Internet: FreeBSD HP-UX Internet: HP-UX Hurd Internet: Hurd Inferno Internet: Inferno IRIX Internet: IRIX JavaOS Internet: JavaOS LFS Internet: LFS Linspire Internet: Linspire Linux Internet: Linux MacOS Internet: MacOS Minix Internet: Minix MorphOS Internet: MorphOS MS-DOS Internet: MS-DOS MVS Internet: MVS NetBSD Internet: NetBSD NetWare Internet: NetWare Newdeal Internet: Newdeal NEXTSTEP Internet: NEXTSTEP OpenBSD Internet: OpenBSD OS/2 Internet: OS/2 Further operating systems Internet: Further operating systems PalmOS Internet: PalmOS Plan9 Internet: Plan9 QNX Internet: QNX RiscOS Internet: RiscOS Solaris Internet: Solaris SuSE Linux Internet: SuSE Linux Unicos Internet: Unicos Unix Internet: Unix Unixware Internet: Unixware Windows 2000 Internet: Windows 2000 Windows 3.11 Internet: Windows 3.11 Windows 95 Internet: Windows 95 Windows 98 Internet: Windows 98 Windows CE Internet: Windows CE Windows Family Internet: Windows Family Windows ME Internet: Windows ME Seite 1 von 138 eBook - Informations about Operating Systems Version: August 15, 2006 | Download: www.operating-system.org Windows NT 3.1 Internet: Windows NT 3.1 Windows NT 4.0 Internet: Windows NT 4.0 Windows Server 2003 Internet: Windows Server 2003 Windows Vista Internet: Windows Vista Windows XP Internet: Windows XP Apple - Company Internet: Apple - Company AT&T - Company Internet: AT&T - Company Be Inc. - Company Internet: Be Inc. - Company BSD Family Internet: BSD Family Cray Inc.
    [Show full text]
  • Microkernels in a Bit More Depth • Early Operating Systems Had Very Little Structure • a Strictly Layered Approach Was Promoted by Dijkstra
    Motivation Microkernels In a Bit More Depth Early operating systems had very little structure A strictly layered approach was promoted by Dijkstra THE Operating System [Dij68] COMP9242 2007/S2 Week 4 Later OS (more or less) followed that approach (e.g., Unix). UNSW Such systems are known as monolithic kernels COMP9242 07S2 W04 1 Microkernels COMP9242 07S2 W04 2 Microkernels Issues of Monolithic Kernels Evolution of the Linux Kernel E Advantages: Kernel has access to everything: all optimisations possible all techniques/mechanisms/concepts implementable Kernel can be extended by adding more code, e.g. for: new services support for new harwdare Problems: Widening range of services and applications OS bigger, more complex, slower, more error prone. Need to support same OS on different hardware. Like to support various OS environments. Distribution impossible to provide all services from same (local) kernel. COMP9242 07S2 W04 3 Microkernels COMP9242 07S2 W04 4 Microkernels Approaches to Tackling Complexity Evolution of the Linux Kernel Part 2 A Classical software-engineering approach: modularity Software-engineering study of Linux kernel [SJW+02]: (relatively) small, mostly self-contained components well-defined interfaces between them Looked at size and interdependencies of kernel "modules" enforcement of interfaces "common coupling": interdependency via global variables containment of faults to few modules Analysed development over time (linearised version number) Doesn't work with monolithic kernels: Result 1:
    [Show full text]
  • Building Performance Measurement Tools for the MINIX 3 Operating System
    Building Performance Measurement Tools for the MINIX 3 Operating System Rogier Meurs August 2006 Contents 1 INTRODUCTION 1 1.1 Measuring Performance 1 1.2 MINIX 3 2 2 STATISTICAL PROFILING 3 2.1 Introduction 3 2.2 In Search of a Timer 3 2.2.1 i8259 Timers 3 2.2.2 CMOS Real-Time Clock 3 2.3 High-level Description 4 2.4 Work Done in User-Space 5 2.4.1 The SPROFILE System Call 5 2.5 Work Done in Kernel-Space 5 2.5.1 The SPROF Kernel Call 5 2.5.2 Profiling using the CMOS Timer Interrupt 6 2.6 Work Done at the Application Level 7 2.6.1 Control Tool: profile 7 2.6.2 Analyzing Tool: sprofalyze.pl 7 2.7 What Can and What Cannot be Profiled 8 2.8 Profiling Results 8 2.8.1 High Scoring IPC Functions 8 2.8.2 Interrupt Delay 9 2.8.3 Profiling Runs on Simulator and Other CPU Models 12 2.9 Side-effect of Using the CMOS Clock 12 3 CALL PROFILING 13 3.1 Introduction 13 3.1.1 Compiler-supported Call Profiling 13 3.1.2 Call Paths, Call and Cycle Attribution 13 3.2 High-level Description 14 3.3 Work Done in User-Space 15 3.3.1 The CPROFILE System Call 15 3.4 Work Done in Kernel-Space 16 3.4.1 The PROFBUF and CPROF Kernel Calls 16 3.5 Work Done in Libraries 17 3.5.1 Profiling Using Library Functions 17 3.5.2 The Procentry Library Function 17 3.5.3 The Procexit Library Function 20 3.5.4 The Call Path String 22 3.5.5 Testing Overhead Elimination 23 3.6 Profiling Kernel-Space/User-Space Processes 24 3.6.1 Differences in Announcing and Table Sizes 24 3.6.2 Kernel-Space Issue: Reentrancy 26 3.6.3 Kernel-Space Issue: The Call Path 26 3.7 Work Done at the Application
    [Show full text]
  • Designing and Implementing the OP and OP2 Web Browsers
    Designing and Implementing the OP and OP2 Web Browsers CHRIS GRIER, SHUO TANG and SAMUEL T. KING, University of Illinois at Urbana-Champaign Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had lim- ited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems sim- ple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features. To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks. In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP.
    [Show full text]
  • Real-Time Operating System in Java
    University of Wollongong Theses Collection University of Wollongong Theses Collection University of Wollongong Year Real-time operating system in Java Qinghua Lu University of Wollongong Lu, Qinghua, Real-time operating system in Java, MA thesis, School of Computer Science and Software Engineering, University of Wollongong, 2007. http://ro.uow.edu/theses/29 This paper is posted at Research Online. http://ro.uow.edu.au/theses/29 Real-time Operating System in Java A thesis submitted in fulfilment of the requirements for the award of the degree Master of Computer Science -Research from UNIVERSITY OF WOLLONGONG by Qinghua Lu School of Computer Science & Software Engineering August, 2007 1 Dedicated to My Parents, Lu Changyou and Luo Xiue! 2 The following papers were written as part of this research. 1. McKerrow, P.J., Lu, Q., Zhou, Z.Q. and Chen, L. (2007), Developing real-time systems in Java on Macintosh, Submitted to AUC’07, Apple University Consortium, Gold Coast, September, 23-26, 2007. 2. McKerrow, P.J., Lu, Q., Zhou, Z.Q. and Chen, L. (2007), Software development of embedded systems on Macintosh, Submitted to AUC’07, Apple University Consortium, Gold Coast, September, 23-26, 2007. 3 Declaration I, Qinghua Lu, declare that this thesis, submitted in fulfilment of the requirements for the award of Master of Computer Science -Research, in the School of Computer Science & Software Engineering, University of Wollongong, is wholly my own work unless otherwise referenced or acknowledged. The document has not been submitted for qualifications
    [Show full text]
  • Alpha ELT Listing
    Lienholder Name Lienholder Address City State Zip ELT ID 1ST ADVANTAGE FCU PO BX 2116 NEWPORT NEWS VA 23609 CFW 1ST COMMAND BK PO BX 901041 FORT WORTH TX 76101 FXQ 1ST FNCL BK USA 47 SHERMAN HILL RD WOODBURY CT 06798 GVY 1ST LIBERTY FCU PO BX 5002 GREAT FALLS MT 59403 ESY 1ST NORTHERN CA CU 1111 PINE ST MARTINEZ CA 94553 EUZ 1ST NORTHERN CR U 230 W MONROE ST STE 2850 CHICAGO IL 60606 GVK 1ST RESOURCE CU 47 W OXMOOR RD BIRMINGHAM AL 35209 DYW 1ST SECURITY BK WA PO BX 97000 LYNNWOOD WA 98046 FTK 1ST UNITED SVCS CU 5901 GIBRALTAR DR PLEASANTON CA 94588 W95 1ST VALLEY CU 401 W SECOND ST SN BERNRDNO CA 92401 K31 360 EQUIP FIN LLC 300 BEARDSLEY LN STE D201 AUSTIN TX 78746 DJH 360 FCU PO BX 273 WINDSOR LOCKS CT 06096 DBG 4FRONT CU PO BX 795 TRAVERSE CITY MI 49685 FBU 777 EQUIPMENT FIN LLC 600 BRICKELL AVE FL 19 MIAMI FL 33131 FYD A C AUTOPAY PO BX 40409 DENVER CO 80204 CWX A L FNCL CORP PO BX 11907 SANTA ANA CA 92711 J68 A L FNCL CORP PO BX 51466 ONTARIO CA 91761 J90 A L FNCL CORP PO BX 255128 SACRAMENTO CA 95865 J93 A L FNCL CORP PO BX 28248 FRESNO CA 93729 J95 A PLUS FCU PO BX 14867 AUSTIN TX 78761 AYV A PLUS LOANS 500 3RD ST W SACRAMENTO CA 95605 GCC A/M FNCL PO BX 1474 CLOVIS CA 93613 A94 AAA FCU PO BX 3788 SOUTH BEND IN 46619 CSM AAC CU 177 WILSON AVE NW GRAND RAPIDS MI 49534 GET AAFCU PO BX 619001 MD2100 DFW AIRPORT TX 75261 A90 ABLE INC 503 COLORADO ST AUSTIN TX 78701 CVD ABNB FCU 830 GREENBRIER CIR CHESAPEAKE VA 23320 CXE ABOUND FCU PO BX 900 RADCLIFF KY 40159 GKB ACADEMY BANK NA PO BX 26458 KANSAS CITY MO 64196 ATF ACCENTRA CU 400 4TH
    [Show full text]
  • Isolation, Resource Management, and Sharing in Java
    Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java Godmar Back, Wilson C. Hsieh, Jay Lepreau School of Computing University of Utah Abstract many environments for executing untrusted code: for example, applets, servlets, active packets [41], database Single-language runtime systems, in the form of Java queries [15], and kernel extensions [6]. Current systems virtual machines, are widely deployed platforms for ex- (such as Java) provide memory protection through the ecuting untrusted mobile code. These runtimes pro- enforcement of type safety and secure system services vide some of the features that operating systems pro- through a number of mechanisms, including namespace vide: inter-application memory protection and basic sys- and access control. Unfortunately, malicious or buggy tem services. They do not, however, provide the ability applications can deny service to other applications. For to isolate applications from each other, or limit their re- example, a Java applet can generate excessive amounts source consumption. This paper describes KaffeOS, a of garbage and cause a Web browser to spend all of its Java runtime system that provides these features. The time collecting it. KaffeOS architecture takes many lessons from operating To support the execution of untrusted code, type-safe system design, such as the use of a user/kernel bound- language runtimes need to provide a mechanism to iso- ary, and employs garbage collection techniques, such as late and manage the resources of applications, analogous write barriers. to that provided by operating systems. Although other re- The KaffeOS architecture supports the OS abstraction source management abstractions exist [4], the classic OS of a process in a Java virtual machine.
    [Show full text]
  • Research Purpose Operating Systems – a Wide Survey
    GESJ: Computer Science and Telecommunications 2010|No.3(26) ISSN 1512-1232 RESEARCH PURPOSE OPERATING SYSTEMS – A WIDE SURVEY Pinaki Chakraborty School of Computer and Systems Sciences, Jawaharlal Nehru University, New Delhi – 110067, India. E-mail: [email protected] Abstract Operating systems constitute a class of vital software. A plethora of operating systems, of different types and developed by different manufacturers over the years, are available now. This paper concentrates on research purpose operating systems because many of them have high technological significance and they have been vividly documented in the research literature. Thirty-four academic and research purpose operating systems have been briefly reviewed in this paper. It was observed that the microkernel based architecture is being used widely to design research purpose operating systems. It was also noticed that object oriented operating systems are emerging as a promising option. Hence, the paper concludes by suggesting a study of the scope of microkernel based object oriented operating systems. Keywords: Operating system, research purpose operating system, object oriented operating system, microkernel 1. Introduction An operating system is a software that manages all the resources of a computer, both hardware and software, and provides an environment in which a user can execute programs in a convenient and efficient manner [1]. However, the principles and concepts used in the operating systems were not standardized in a day. In fact, operating systems have been evolving through the years [2]. There were no operating systems in the early computers. In those systems, every program required full hardware specification to execute correctly and perform each trivial task, and its own drivers for peripheral devices like card readers and line printers.
    [Show full text]
  • The Synthesis Kernel
    ... " The Synthesis Kernel Calton Pu, Henry Massalin and 21 ~; John loannidis Columbia University ABSTRACT: The Synthesis distributed operating system combines etticient kernel calls with a high­ level, orthogonal interface. The key concept is the use of a code synthesizer in the kernel to generate specialized (thus short and fast) kernel routines for specific situations. We have three methods of synthesizing code: Factoring Invariants to bypass redundant computations; Collapsing Layers to eliminate unnecessary procedure calls and context switches; and Executable Data Structures to shorten data structure traversal time. Applying these methods, the kernel call synthesized to read Idevlmem takes about 15 microseconds on a 68020 machine. A simple model of computation called a synthetic machine supports parallel and distributed processing. The interface to synthetic machine consists of six operations on four kinds of ohjects. This combination of a high-level interface with the code synthesizer avoids the traditional trade-off in operating systems between powerful interfaces and efficient implementations . ., Complliing .\'yslt'nIS, Vol. 1 • No.1' Winter IIJI!I! I I I. Introduction and data, and synthetic 1/0 units to move data in to and out of the synthetic machine. The synthetic machine interface and kernel code synthesizer A trade-off between powerful features and efficient arc independent ideas that have a synergistic eliect. Without the implementation exists in many operating systems. Systems with code synthesizer. even a sophisticated implementation of synthetic high-level interfaces and powerful features, like Argus lO and Eden/ machines would be very inetlicient. Each high-level kernel call require a lot of code for their implementation, and this added would require a large amount of code with a long execution time.
    [Show full text]
  • Cali: Compiler-Assisted Library Isolation
    Cali: Compiler-Assisted Library Isolation Markus Bauer Christian Rossow CISPA Helmholtz Center for Information Security CISPA Helmholtz Center for Information Security Saarbrücken, Saarland, Germany Saarbrücken, Saarland, Germany [email protected] [email protected] ABSTRACT the full program’s privileges and address space. This lack of privi- Software libraries can freely access the program’s entire address lege separation and memory isolation has led to numerous critical space, and also inherit its system-level privileges. This lack of sepa- security incidents. ration regularly leads to security-critical incidents once libraries We can significantly reduce this threat surface by isolating the contain vulnerabilities or turn rogue. We present Cali, a compiler- library from the main program. In most cases, a library (i) neither assisted library isolation system that fully automatically shields a requires access to the entire program’s address space, (ii) nor needs program from a given library. Cali is fully compatible with main- the full program’s privileges to function properly. In fact, even line Linux and does not require supervisor privileges to execute. We complex libraries such as parsers require only limited interaction compartmentalize libraries into their own process with well-defined with the program and/or system. Conceptually, there is thus little security policies. To preserve the functionality of the interactions need to grant an untrusted library access to the program or to between program and library, Cali uses a Program Dependence critical system privileges. Basic compartmentalization principles Graph to track data flow between the program and the library dur- thus help to secure a program from misuse by untrusted code.
    [Show full text]
  • A Complete Bibliography of Publications in Software—Practice and Experience
    A Complete Bibliography of Publications in Software|Practice and Experience Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 23 July 2021 Version 3.26 Title word cross-reference [Bar82a, Bar82c, Bar84b]. < [SMGMOFM07a, SMGMOFM07b]. > [SMGMOFM07a, SMGMOFM07b]. 2 [MST13, MDB19]. 3 [DS09]. 4 [MSR+07]. \ 0 [GW96]. 1 [GW96]. $1.50 [Bar78d]. $11 [PK04]. TM [MZB00, Win02]. 8 [DB21b]. k [Bar84a]. $12.00 [Rob72]. $13 [Bar84a]. [AW93, Mer93]. κ [MG94]. µ $13.00 [Rob72]. $18.50 [Jon74]. $185 [BS90c, BDS+92, SMNB21]. N [Bar79b]. $19.30 [Lan74a]. $19.50 [Dav78]. [MS98, Coh98, KST94, YAVHC21]. P 3 $25.00 [Pet77, And78]. 3 [BE02, FMA02]. [DC03]. PM [CLD+17]. q [GSR17]. τ $31-25 [Pet77]. $31.35 [Bri82]. 32 [VED06]. 2:5 [TSZ14, UDS+07]. $35.00 [Inc86]. $39.50 [Sim83]. 5 [CPMAH+20]. $58.50 [Wal81a]. $6.95 -ary [MS98]. -bit [AM10, SF85, VED06]. [Tho74]. 64 [AM10, VED06]. 68 -gram [Coh98, KST94, YAVHC21]. -grams [Ear76, Hol77]. $68.25 [Pit82]. $7.00 [GSR17]. -level [FM77]. -queens [Plu74]. [Bar72a]. $7.50 [Bar78d]. $7.95 -R [Ear76, Hol77]. -shortest-paths [MG94]. [Bar76a, Lav77]. $78.50 [Sim83]. 8 -System [BS90c]. [Plu74, SF85]. $8.95 [Bar82a, Bar82c, Bar84b]. $9.75 . [Bis81b]. .NET [Coo04, Han04]. [Bar77e, Mul76]. $9.80 [Atk79a]. $9.95 1 2 0 [Bar81, Edw98a, Edw98b, Gru83, Llo82, 2 [Bar74a, Bar74b, Bar80b, Bud85, Cor88b, Val77a, Val78, Wal83b].
    [Show full text]