Vx32: Lightweight userlevel sandboxing on the x86

Vx32: Lightweight userlevel sandboxing on the x86 (2008)

Cached

Download Links

by Bryan Ford , Russ Cox

Venue:	In Proceedings of the USENIX Annual Technical Conference
Citations:	18 - 1 self

BibTeX

@INPROCEEDINGS{Ford08vx32:lightweight,
    author = {Bryan Ford and Russ Cox},
    title = {Vx32: Lightweight userlevel sandboxing on the x86},
    booktitle = {In Proceedings of the USENIX Annual Technical Conference},
    year = {2008}
}

Bookmark

OpenURL

Abstract

Code sandboxing is useful for many purposes, but most sandboxing techniques require kernel modifications, do not completely isolate guest code, or incur substantial performance costs. Vx32 is a multipurpose user-level sandbox that enables any application to load and safely execute one or more guest plug-ins, confining each guest to a system call API controlled by the host application and to a restricted memory region within the host’s address space. Vx32 runs guest code efficiently on several widespread operating systems without kernel extensions or special privileges; it protects the host program from both reads and writes by its guests; and it allows the host to restrict the instruction set available to guests. The key to vx32’s combination of portability, flexibility, and efficiency is its use of x86 segmentation hardware to sandbox the guest’s data accesses, along with a lightweight instruction translator to sandbox guest instructions. We evaluate vx32 using microbenchmarks and whole system benchmarks, and we examine four applications based on vx32: an archival storage system, an extensible public-key infrastructure, an experimental user-level operating system running atop another host OS, and a Linux system call jail. The first three applications export custom APIs independent of the host OS to their guests, making their plug-ins binary-portable across host systems. Compute-intensive workloads for the first two applications exhibit between a 30 % slowdown and a 30% speedup on vx32 relative to native execution; speedups result from vx32’s instruction translator improving the cache locality of guest code. The experimental user-level operating system allows the use of the guest OS’s applications alongside the host’s native applications and runs faster than whole-system virtual machine monitors such as VMware and QEMU. The Linux system call jail incurs up to 80 % overhead but requires no kernel modifications and is delegation-based, avoiding concurrency vulnerabilities present in other interposition mechanisms. 1

Citations

627	Efficient software-based fault isolation - Wahbe, Lucco, et al. - 1993
381	Safe Kernel Extensions without Run-time Checking - Necula, Lee
347	Dynamo: a transparent dynamic optimization system - Bala, Duesterwald, et al.
340	A Secure Environment for Untrusted Helper Applications - Goldberg, Wagner, et al. - 1996
315	Shade: A Fast Instruction-Set Simulator for Execution Profiling - Cmelik, Keppel - 1994
309	On µ-kernel construction - Liedtke - 1995
217	Improving host security with system call policies - Provos - 2003
214	Efficient implementation of the smalltalk-80 system - Deutsch, Schiffman - 1984
211	Valgrind: A framework for heavyweight dynamic binary instrumentation - Nethercote, Seward - 2007
209	The packer filter: an efficient mechanism for user-level network code - Mogul, Rashid, et al. - 1987
192	Improving the Reliability of Commodity Operating Systems - Swift, Bershad, et al. - 2003
183	Valgrind: A Program Supervision Framework - Nethercote, Seward
161	Proof-carrying authentication - Appel, Felten - 1999
161	Capability-Based Computer Systems - Levy
146	Embra: fast and flexible machine simulation - Witchel, Rosenblum - 1996
121	Hardening COTS software with generic software wrappers - Fraser, Badger, et al. - 1999
113	Microkernels Meet Recursive Virtual Machines - Ford, Hibler, et al. - 1996
88	The origin of the VM/370 time-sharing system - Creasy - 1981
88	Binary translation - Sites, Chernoff, et al. - 1992
86	Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools - Garfinkel - 2003
83	SLIC: An Extensibility System for Commodity Operating Systems - Ghormley, Petrou, et al. - 1998
82	A comparison of software and hardware techniques for x86 virtualization - Adams, Agesen - 2006
62	Efficient JavaVM just-in-time compilation - Krall - 1998
62	MiSFIT: A tool for constructing safe extensible C++ systems - SMALL - 1997
60	IA-32 Intel architecture software developer’s manual. Intel Publication nos - Corporation - 2005
56	User-level infrastructure for system call interposition: A platform for intrusion detection and confinement - Jain, Sekar - 2000
54	Ostia: A Delegating Architecture for Secure System Call Interposition - Garfinkel, Pfaff, et al. - 2004
51	Integrating segmentation and paging protection for safe, efficient and transparent software extensions - CHIUEH, VENKITACHALAM, et al. - 1999
36	Bluebox: A policy-driven, host-based intrusion detection system - Chari, Cheng - 2003
31	A Persistent System in Real Use -- Experiences of the First 13 Years - Liedtke - 1993
27	G.: Evaluating SFI for a CISC architecture - McCamant, Morrisett
24	et al. Extensibility, safety and performance in the SPIN operating system - Bershad - 1995
17	Alpaca: Extensible Authorization for Distributed Services - LESNIEWSKI-LAAS, FORD, et al. - 2007
13	Exploiting Concurrency Vulnerabilities in System Call Wrappers - Watson - 2007
9	VXA: A virtual architecture for durable compressed archives - Ford - 2005
5	et al. Plan 9 from Bell Labs - Pike - 1995
2	C# language specification, version 3.0 - Corporation - 2007
1	GCOS Environment Simulator - Inc - 1983
1	et al. Overhead reduction techniques for software dynamic translation - Scott - 2004