Language-Independent Sandboxing of Just-In-Time Compilation and Self-Modifying Code

This paper, presented at PLDI ’11, describes a key innovation behind Native Client, which is (as far as I’m aware) an industry first: the ability to verify the safety of a code-generating program, like a JIT or language runtime, and that of its output, on the fly.

We can even support self-modifying code, with very little runtime overhead for verification. I firmly believe that active runtimes involving some degree of JIT code generation are the future, and this paper shows that we don’t have to sacrifice security or reliability to support them.

I designed the mechanisms behind this technology with Bennet Yee and David Sehr, for x86, x86-64, and ARM processors. The rest of the authors did the hard part: implementing it in a portable way and shipping it to the masses. If you’re using Chrome, you’re already using this technology.

We received an internal Google award for this paper.

Adapting Software Fault Isolation to Contemporary CPU Architectures

Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for workloads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.

Presented at the 19th USENIX Security Symposium.