Derek L. Schuff,
Cliff L. Biffle and
This paper, presented at PLDI ’11, describes a key innovation behind Native
Client, which is (as far as I’m aware) an industry first: the ability to verify
the safety of a code-generating program, like a JIT or language runtime, and
that of its output, on the fly.
We can even support self-modifying code, with very little runtime overhead for
verification. I firmly believe that active runtimes involving some degree of
JIT code generation are the future, and this paper shows that we don’t have to
sacrifice security or reliability to support them.
I designed the mechanisms behind this technology with Bennet Yee and David Sehr,
for x86, x86-64, and ARM processors. The rest of the authors did the hard part:
implementing it in a portable way and shipping it to the masses. If you’re
using Chrome, you’re already using this technology.
We received an internal Google award for this paper.
Cliff L. Biffle,
Karl Schimpf and
Software Fault Isolation (SFI) is an effective approach to sandboxing binary
code of questionable provenance, an interesting use case for native plugins in
a Web browser. We present software fault isolation schemes for ARM and x86-64
that provide control-flow and memory integrity with average performance
overhead of under 5% on ARM and 7% on x86-64. We believe these are the best
known SFI implementations for these architectures, with significantly lower
overhead than previous systems for similar architectures. Our experience
suggests that these SFI implementations benefit from instruction-level
parallelism, and have particularly small impact for workloads that are data
memory-bound, both properties that tend to reduce the impact of our SFI
systems for future CPU implementations.
Presented at the 19th USENIX Security Symposium.