DOCSLIB.ORG

Hacking the Hackers with User-Space Virtualization

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

secuBT : Hacking the Hackers with User-Space Virtualization Mathias Payer Department of Computer Science ETH Zurich Abstract Two interesting scenarios are (i) sandboxing of server processes, and (ii) execution of untrusted In the age of coordinated malware distribution and code. Server daemons that offer an interface to zero-day exploits security becomes ever more im- the Internet are under constant attack. If these portant. This paper presents secuBT, a safe ex- daemons are virtualized and restricted to only spe- ecution framework for the execution of untrusted cific system calls and parameters then an exploit binary code based on the fastBT dynamic binary is unable to escalate privileges and execute unin- translator. tended code. The second scenario targets plugins secuBT implements user-space virtualization us- and other downloaded untrusted code that a user ing dynamic binary translation and adds a system would like to run in a special sandbox. Whenever call interposition framework to limit and guard the the program issues a system call, the user can de- interoperability of binary code with the kernel. cide if it is allowed or not. The sandbox limits the Fast binary translation is a key component to possible interactions between the virtualized pro- user-space virtualization. secuBT uses and ex- gram and the operating system. System calls are tends fastBT, a generator for low-overhead, table- checked depending on name, parameters, and call based dynamic (just-in-time) binary translators. location. We discuss the most challenging sources of over- Such a sandbox could be implemented as a ker- head and propose optimizations to further reduce nel module. This would require additional code these penalties. We argue for hardening techniques that runs in the kernel itself which poses an addi- to ensure that the translated program cannot es- tional security risk. User-space virtualization uses cape out of the user-space virtualization. binary translation to sandbox processes. The virtu- An important feature of secuBT is that only alization layer controls all instructions that can be translated code is executed. This ensures code va- executed by the virtualized process. System calls lidity and makes it possible to rewrite individual are rewritten by the translation system so that an instructions. The system call interposition frame- authorization function is executed first. This au- work validates every system call and offers the thorization decides whether a system call (i) is al- choice to (i) allow it, (ii) abort the program, (iii) lowed, (ii) aborted, or (iii) redirected to a sandbox- redirect to an user-space emulation. internal function that emulates the system call in user-space. To the virtualized application it ap- pears as if the system call is executed directly. 1 Introduction We propose a sandbox that is built on a dy- namic binary translation (BT) system. Using BT In a world of increasing software complexity and ensures that all executed code is translated first, diversity it is important to sandbox and virtual- and therefore a program cannot escape the sand- ize running applications. Staying up-to-date on all box. If the translator encounters unsafe or invalid software applications and libraries is hard but nec- code it aborts the program. This builds a safe essary. On the other hand patches as well as mal- execution framework that validates executed code. ware discovery is reactive. secuBT is a step towards The translator can rewrite individual instructions, proactive security and fault detection. e.g. redirect system calls to handler functions. 1 Section 2 covers the design of the encapsulation original program and the code cache. This transla- framework and implementation of the binary trans- tion process ensures that the execution flow always lator fastBT [14]. Section 3 elaborates the security stays in the code cache. If the program is about to extension and the system call interposition frame- branch to an untranslated block of code then the work. The system is evaluated in Section 4, fol- translator is invoked to translate that block. The lowed by related work and our conclusion. translated block is then placed in the code cache and the execution of the program resumes at the newly translated block in the code cache. See Fig- 2 fastBT: Dynamic Binary ure 1 for an overview of such a generic translator. Translation Original program Translator Code cache Fast binary translation is the key component to im- Opcode table plement user-space virtualization. The dynamic 0 1' translation system checks and verifies every ma- 1 chine code instruction before it is executed. Static 3' Trampoline to binary translation does not suffice because it is un- translate 4 2 3 2' able to detect hidden code or malicious code that Mapping targets the static binary translator itself. Direct 3 3' control transfers are translated and redirected to 4 1 1' the code cache. Indirect control transfers are trans- 2 2' lated into an online lookup and dispatch to guaran- tee that only translated branch targets are reached. Figure 1: Runtime layout of the binary translator. The translation system can change, adapt, or re- move any invalid instruction. Using the translation system, system calls are rewritten and redirected to an interposition system. 2.1.1 Translation Tables To limit the overhead of binary translation the translation process must be fast and must produce The basic translation engine is a simple table-based competitive code. This section presents implemen- iterator. When the translator is invoked with a tation details of fastBT [14], a fast and flexible bi- pointer to a basic block, it first adds a reference to nary translator that is used to implement the exe- the mapping table from the original program loca- cutable space protection and system call interposi- tion to the location in the code cache. The iterator tion. An important feature of fastBT is that the then loops through the basic block one instruction return addresses on the stack remain unchanged. at a time. This adds additional complexity to handle return To decode the variable-length x86 instructions instructions as they are translated to a lookup and a large multidimensional translation table is con- an indirect control transfer. An unchanged stack structed that encodes all possible combinations of has the following advantages: (i) the program can machine code instructions and parameters. Start- validate and read its own call stack for debugging, ing with a base table each byte of the current in- (ii) exception handling uses return addresses to es- struction is checked. If the decoding of the instruc- cape to the correct frame, (iii) the program does tion is not finished in the current table, a pointer not know that it is translated, and (iv) the address redirects to the next table and the decoding pro- of the code cache is hidden from the program. cess continues with the next byte. This process is repeated until the instruction is completely de- 2.1 Basic Translator coded. As a next step the instruction and its arguments The translator processes basic blocks of the original are passed to a corresponding action function that program, places them in the code cache and adds handles the translation of this particular instruc- entries to the mapping table. The mapping table tion. Action functions can generate arbitrary code, is used to map between program locations in the alter, copy, or remove the instruction. Generated 2 code is emitted into the code cache. Therefore it makes sense to keep translated code in The translation process stops at recognizable ba- a cache for later reuse. As a result code is only sic block (BB) boundaries like branches or return translated once, reducing the overall translation instructions. Some BB boundaries like backward overhead. jumps are not recognizable, in such a case a part of fastBT uses a per thread cache strategy to in- the BB will be translated a second time. crease code locality. An additional advantage of At the end of a BB the translator checks if the thread local caches is that the action functions can outgoing edges are already translated, and adds emit hard-coded pointers to thread local data struc- jumps to the translated targets. If a target is not tures, otherwise the code would need to call expen- translated, the translator builds a trampoline that sive lookup functions. starts the translation engine for the corresponding The combination of the basic translator that BB, and adds a jump to the trampoline. stops at BB boundaries and the design of the code cache lead to a greedy trace extraction. These 2.1.2 Predefined Actions traces are formed as a side effect of the first ex- ecution and can possibly speed up the program. The translator needs different action functions to support the identity transformation. All safe in- structions that are executable in user-space are 2.1.4 Mapping Table copied to the code cache. Privileged instructions The mapping table maps between code locations in (e.g. all instructions that are not allowed to exe- the original program and code locations in the code cute in user-space) are intercepted and the program cache. The translator adds entries for all translated is aborted, otherwise the kernel would signal a seg- basic blocks. An entry consists of two pointers, the mentation fault or general protection fault. first pointing to the original location, the second Special care is needed for control instructions. pointing to the translated location. These are handled by specific action functions that The hash function used in any lookup function check the target of the branch instruction. These returns a relative offset into the mapping table. action functions emit extra code that gives the il- Adding the result from the hash function to the lusion as if the original code was executed.
Recommended publications
  • The Linux Kernel Module Programming Guide

    The Linux Kernel Module Programming Guide

    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
  • The Xen Port of Kexec / Kdump a Short Introduction and Status Report

    The Xen Port of Kexec / Kdump a Short Introduction and Status Report

    The Xen Port of Kexec / Kdump A short introduction and status report Magnus Damm Simon Horman VA Linux Systems Japan K.K. www.valinux.co.jp/en/ Xen Summit, September 2006 Magnus Damm ([email protected]) Kexec / Kdump Xen Summit, September 2006 1 / 17 Outline Introduction to Kexec What is Kexec? Kexec Examples Kexec Overview Introduction to Kdump What is Kdump? Kdump Kernels The Crash Utility Xen Porting Effort Kexec under Xen Kdump under Xen The Dumpread Tool Partial Dumps Current Status Magnus Damm ([email protected]) Kexec / Kdump Xen Summit, September 2006 2 / 17 Introduction to Kexec Outline Introduction to Kexec What is Kexec? Kexec Examples Kexec Overview Introduction to Kdump What is Kdump? Kdump Kernels The Crash Utility Xen Porting Effort Kexec under Xen Kdump under Xen The Dumpread Tool Partial Dumps Current Status Magnus Damm ([email protected]) Kexec / Kdump Xen Summit, September 2006 3 / 17 Kexec allows you to reboot from Linux into any kernel. as long as the new kernel doesn’t depend on the BIOS for setup. Introduction to Kexec What is Kexec? What is Kexec? “kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is indepedent of the system firmware...” Configuration help text in Linux-2.6.17 Magnus Damm ([email protected]) Kexec / Kdump Xen Summit, September 2006 4 / 17 . as long as the new kernel doesn’t depend on the BIOS for setup. Introduction to Kexec What is Kexec? What is Kexec? “kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel.
  • Anatomy of Linux Loadable Kernel Modules a 2.6 Kernel Perspective

    Anatomy of Linux Loadable Kernel Modules a 2.6 Kernel Perspective

    Anatomy of Linux loadable kernel modules A 2.6 kernel perspective Skill Level: Intermediate M. Tim Jones ([email protected]) Consultant Engineer Emulex Corp. 16 Jul 2008 Linux® loadable kernel modules, introduced in version 1.2 of the kernel, are one of the most important innovations in the Linux kernel. They provide a kernel that is both scalable and dynamic. Discover the ideas behind loadable modules, and learn how these independent objects dynamically become part of the Linux kernel. The Linux kernel is what's known as a monolithic kernel, which means that the majority of the operating system functionality is called the kernel and runs in a privileged mode. This differs from a micro-kernel, which runs only basic functionality as the kernel (inter-process communication [IPC], scheduling, basic input/output [I/O], memory management) and pushes other functionality outside the privileged space (drivers, network stack, file systems). You'd think that Linux is then a very static kernel, but in fact it's quite the opposite. Linux can be dynamically altered at run time through the use of Linux kernel modules (LKMs). More in Tim's Anatomy of... series on developerWorks • Anatomy of Linux flash file systems • Anatomy of Security-Enhanced Linux (SELinux) • Anatomy of real-time Linux architectures • Anatomy of the Linux SCSI subsystem • Anatomy of the Linux file system • Anatomy of the Linux networking stack Anatomy of Linux loadable kernel modules © Copyright IBM Corporation 1994, 2008. All rights reserved. Page 1 of 11 developerWorks® ibm.com/developerWorks • Anatomy of the Linux kernel • Anatomy of the Linux slab allocator • Anatomy of Linux synchronization methods • All of Tim's Anatomy of..
  • Improving System Security Through TCB Reduction

    Improving System Security Through TCB Reduction

    Improving System Security Through TCB Reduction Bernhard Kauer March 31, 2015 Dissertation vorgelegt an der Technischen Universität Dresden Fakultät Informatik zur Erlangung des akademischen Grades Doktoringenieur (Dr.-Ing.) Erstgutachter Prof. Dr. rer. nat. Hermann Härtig Technische Universität Dresden Zweitgutachter Prof. Dr. Paulo Esteves Veríssimo University of Luxembourg Verteidigung 15.12.2014 Abstract The OS (operating system) is the primary target of todays attacks. A single exploitable defect can be sufficient to break the security of the system and give fully control over all the software on the machine. Because current operating systems are too large to be defect free, the best approach to improve the system security is to reduce their code to more manageable levels. This work shows how the security-critical part of theOS, the so called TCB (Trusted Computing Base), can be reduced from millions to less than hundred thousand lines of code to achieve these security goals. Shrinking the software stack by more than an order of magnitude is an open challenge since no single technique can currently achieve this. We therefore followed a holistic approach and improved the design as well as implementation of several system layers starting with a newOS called NOVA. NOVA provides a small TCB for both newly written applications but also for legacy code running inside virtual machines. Virtualization is thereby the key technique to ensure that compatibility requirements will not increase the minimal TCB of our system. The main contribution of this work is to show how the virtual machine monitor for NOVA was implemented with significantly less lines of code without affecting the per- formance of its guest OS.
  • Kdump, a Kexec-Based Kernel Crash Dumping Mechanism

    Kdump, a Kexec-Based Kernel Crash Dumping Mechanism

    Kdump, A Kexec-based Kernel Crash Dumping Mechanism Vivek Goyal Eric W. Biederman Hariprasad Nellitheertha IBM Linux NetworkX IBM [email protected] [email protected] [email protected] Abstract important consideration for the success of a so- lution has been the reliability and ease of use. Kdump is a crash dumping solution that pro- Kdump is a kexec based kernel crash dump- vides a very reliable dump generation and cap- ing mechanism, which is being perceived as turing mechanism [01]. It is simple, easy to a reliable crash dumping solution for Linux R . configure and provides a great deal of flexibility This paper begins with brief description of what in terms of dump device selection, dump saving kexec is and what it can do in general case, and mechanism, and plugging-in filtering mecha- then details how kexec has been modified to nism. boot a new kernel even in a system crash event. The idea of kdump has been around for Kexec enables booting into a new kernel while quite some time now, and initial patches for preserving the memory contents in a crash sce- kdump implementation were posted to the nario, and kdump uses this feature to capture Linux kernel mailing list last year [03]. Since the kernel crash dump. Physical memory lay- then, kdump has undergone significant design out and processor state are encoded in ELF core changes to ensure improved reliability, en- format, and these headers are stored in a re- hanced ease of use and cleaner interfaces. This served section of memory. Upon a crash, new paper starts with an overview of the kdump de- kernel boots up from reserved memory and pro- sign and development history.
  • Communicating Between the Kernel and User-Space in Linux Using Netlink Sockets

    Communicating Between the Kernel and User-Space in Linux Using Netlink Sockets

    SOFTWARE—PRACTICE AND EXPERIENCE Softw. Pract. Exper. 2010; 00:1–7 Prepared using speauth.cls [Version: 2002/09/23 v2.2] Communicating between the kernel and user-space in Linux using Netlink sockets Pablo Neira Ayuso∗,∗1, Rafael M. Gasca1 and Laurent Lefevre2 1 QUIVIR Research Group, Departament of Computer Languages and Systems, University of Seville, Spain. 2 RESO/LIP team, INRIA, University of Lyon, France. SUMMARY When developing Linux kernel features, it is a good practise to expose the necessary details to user-space to enable extensibility. This allows the development of new features and sophisticated configurations from user-space. Commonly, software developers have to face the task of looking for a good way to communicate between kernel and user-space in Linux. This tutorial introduces you to Netlink sockets, a flexible and extensible messaging system that provides communication between kernel and user-space. In this tutorial, we provide fundamental guidelines for practitioners who wish to develop Netlink-based interfaces. key words: kernel interfaces, netlink, linux 1. INTRODUCTION Portable open-source operating systems like Linux [1] provide a good environment to develop applications for the real-world since they can be used in very different platforms: from very small embedded devices, like smartphones and PDAs, to standalone computers and large scale clusters. Moreover, the availability of the source code also allows its study and modification, this renders Linux useful for both the industry and the academia. The core of Linux, like many modern operating systems, follows a monolithic † design for performance reasons. The main bricks that compose the operating system are implemented ∗Correspondence to: Pablo Neira Ayuso, ETS Ingenieria Informatica, Department of Computer Languages and Systems.
  • Detecting Exploit Code Execution in Loadable Kernel Modules

    Detecting Exploit Code Execution in Loadable Kernel Modules

    Detecting Exploit Code Execution in Loadable Kernel Modules HaizhiXu WenliangDu SteveJ.Chapin Systems Assurance Institute Syracuse University 3-114 CST, 111 College Place, Syracuse, NY 13210, USA g fhxu02, wedu, chapin @syr.edu Abstract and pointer checks can lead to kernel-level exploits, which can jeopardize the integrity of the running kernel. Inside the In current extensible monolithic operating systems, load- kernel, exploitcode has the privilegeto interceptsystem ser- able kernel modules (LKM) have unrestricted access to vice routines, to modify interrupt handlers, and to overwrite all portions of kernel memory and I/O space. As a result, kernel data. In such cases, the behavior of the entire sys- kernel-module exploitation can jeopardize the integrity of tem may become suspect. the entire system. In this paper, we analyze the threat that Kernel-level protection is different from user space pro- comes from the implicit trust relationship between the oper- tection. Not every application-level protection mechanism ating system kernel and loadable kernel modules. We then can be applied directly to kernel code, because privileges present a specification-directed access monitoring tool— of the kernel environment is different from that of the user HECK, that detects kernel modules for malicious code ex- space. For example, non-executableuser page [21] and non- ecution. Inside the module, HECK prevents code execution executable user stack [29] use virtual memory mapping sup- on the kernel stack and the data sections; on the bound- port for pages and segments, but inside the kernel, a page ary, HECK restricts the module’s access to only those kernel or segment fault can lead to kernel panic.
  • DM-Relay - Safe Laptop Mode Via Linux Device Mapper

    DM-Relay - Safe Laptop Mode Via Linux Device Mapper

    ' $ DM-Relay - Safe Laptop Mode via Linux Device Mapper Study Thesis by cand. inform. Fabian Franz at the Faculty of Informatics Supervisor: Prof. Dr. Frank Bellosa Supervising Research Assistant: Dipl.-Inform. Konrad Miller Day of completion: 04/05/2010 &KIT – Universitat¨ des Landes Baden-Wurttemberg¨ und nationales Forschungszentrum in der Helmholtz-Gemeinschaft www.kit.edu % I hereby declare that this thesis is my own original work which I created without illegitimate help by others, that I have not used any other sources or resources than the ones indicated and that due acknowledgment is given where reference is made to the work of others. Karlsruhe, April 5th, 2010 Contents Deutsche Zusammenfassung xi 1 Introduction 1 1.1 Problem Definition . .1 1.2 Objectives . .1 1.3 Methodology . .1 1.4 Contribution . .2 1.5 Thesis Outline . .2 2 Background 3 2.1 Problems of Disk Power Management . .3 2.2 State of the Art . .4 2.3 Summary of this chapter . .8 3 Analysis 9 3.1 Pro and Contra . .9 3.2 A new approach . 13 3.3 Analysis of Proposal . 15 3.4 Summary of this chapter . 17 4 Design 19 4.1 Common problems . 19 4.2 System-Design . 21 4.3 Summary of this chapter . 21 5 Implementation of a dm-module for the Linux kernel 23 5.1 System-Architecture . 24 5.2 Log suitable for Flash-Storage . 28 5.3 Using dm-relay in practice . 31 5.4 Summary of this chapter . 31 vi Contents 6 Evaluation 33 6.1 Methodology . 33 6.2 Benchmarking setup .
  • An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K

    An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K

    An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K. Qureshi, and Karsten Schwan, Georgia Institute of Technology https://www.usenix.org/conference/atc16/technical-sessions/presentation/huang This paper is included in the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16). June 22–24, 2016 • Denver, CO, USA 978-1-931971-30-0 Open access to the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16) is sponsored by USENIX. An Evolutionary Study of inu emory anagement for Fun and rofit Jian Huang, Moinuddin K. ureshi, Karsten Schwan Georgia Institute of Technology Astract the patches committed over the last five years from 2009 to 2015. The study covers 4587 patches across Linux We present a comprehensive and uantitative study on versions from 2.6.32.1 to 4.0-rc4. We manually label the development of the Linux memory manager. The each patch after carefully checking the patch, its descrip- study examines 4587 committed patches over the last tions, and follow-up discussions posted by developers. five years (2009-2015) since Linux version 2.6.32. In- To further understand patch distribution over memory se- sights derived from this study concern the development mantics, we build a tool called MChecker to identify the process of the virtual memory system, including its patch changes to the key functions in mm. MChecker matches distribution and patterns, and techniues for memory op- the patches with the source code to track the hot func- timizations and semantics. Specifically, we find that tions that have been updated intensively.
  • Comparison of Kernel and User Space File Systems

    Comparison of Kernel and User Space File Systems

    Comparison of kernel and user space file systems — Bachelor Thesis — Arbeitsbereich Wissenschaftliches Rechnen Fachbereich Informatik Fakultät für Mathematik, Informatik und Naturwissenschaften Universität Hamburg Vorgelegt von: Kira Isabel Duwe E-Mail-Adresse: [email protected] Matrikelnummer: 6225091 Studiengang: Informatik Erstgutachter: Professor Dr. Thomas Ludwig Zweitgutachter: Professor Dr. Norbert Ritter Betreuer: Michael Kuhn Hamburg, den 28. August 2014 Abstract A file system is part of the operating system and defines an interface between OS and the computer’s storage devices. It is used to control how the computer names, stores and basically organises the files and directories. Due to many different requirements, such as efficient usage of the storage, a grand variety of approaches arose. The most important ones are running in the kernel as this has been the only way for a long time. In 1994, developers came up with an idea which would allow mounting a file system in the user space. The FUSE (Filesystem in Userspace) project was started in 2004 and implemented in the Linux kernel by 2005. This provides the opportunity for a user to write an own file system without editing the kernel code and therefore avoid licence problems. Additionally, FUSE offers a stable library interface. It is originally implemented as a loadable kernel module. Due to its design, all operations have to pass through the kernel multiple times. The additional data transfer and the context switches are causing some overhead which will be analysed in this thesis. So, there will be a basic overview about on how exactly a file system operation takes place and which mount options for a FUSE-based system result in a better performance.
  • Lab 1: Loadable Kernel Modules (Lkms)

    Lab 1: Loadable Kernel Modules (Lkms)

    Lab 1: Loadable Kernel Modules (LKMs) Overview For this lab, we will be interfacing with an LCD screen using the Phytec board. This means we will be creating device drivers for our system to allow it to interact with our hardware. Since our board is running Linux­­ which is a pretty advanced operating system for most embedded devices­­ we will want to accomplish this by appending additional functionality to the working kernel. This is done using loadable kernel modules. Background Before we get too far, here is some important information we will need to know in order to interact with the Linux kernel and perform the functions we want. To write device drivers we must first understand what they are. There are three main types of device drivers; character, block, and network. In this class, we will be writing character device drivers. A character device driver is one that transfers data directly to and from a user process. This is the most common type of device driver. Character device drivers normally perform I/O in a byte stream. They can also provide additional interfaces not present in block drivers, such as I/O control commands, memory mapping, and device polling. Drivers that support a file system are known as block device drivers. Block ​ device drivers take a file system request, in the form of a buffer structure, and issue the ​ I/O operations to the disk to transfer the specified block. Block device drivers can also provide a character driver interface that allows utility programs to bypass the file system and access the device directly.
  • Vx32: Lightweight User-Level Sandboxing on the X86

    Vx32: Lightweight User-Level Sandboxing on the X86

    Vx32: Lightweight User-level Sandboxing on the x86 Bryan Ford and Russ Cox Massachusetts Institute of Technology {baford,rsc}@pdos.csail.mit.edu Abstract 1 Introduction Code sandboxing is useful for many purposes, but most A sandbox is a mechanism by which a host software sandboxing techniques require kernel modifications, do system may execute arbitrary guest code in a confined not completely isolate guest code, or incur substantial environment, so that the guest code cannot compromise performance costs. Vx32 is a multipurpose user-level or affect the host other than according to a well-defined sandbox that enables any application to load and safely policy. Sandboxing is useful for many purposes, such execute one or more guest plug-ins, confining each guest as running untrusted Web applets within a browser [6], to a system call API controlled by the host application safely extending operating system kernels [5, 32], and and to a restricted memory region within the host’s ad- limiting potential damage caused by compromised ap- dress space. Vx32 runs guest code efficiently on several plications [19, 22]. Most sandboxing mechanisms, how- widespread operating systems without kernel extensions ever, either require guest code to be (re-)written in a type- or special privileges; it protects the host program from safe language [5,6], depend on special OS-specific facil- both reads and writes by its guests; and it allows the host ities [8, 15, 18, 19], allow guest code unrestricted read to restrict the instruction set available to guests. The key access to the host’s state [29, 42], or entail a substantial to vx32’s combination of portability, flexibility, and effi- performance cost [33,34,37].