Foundations and Trends® in Privacy and Security > Vol 1 > Issue 3

Principles and Implementation Techniques of Software-Based Fault Isolation

By Gang Tan, Pennsylvania State University, USA, gtan@cse.psu.edu

 
Suggested Citation
Gang Tan (2017), "Principles and Implementation Techniques of Software-Based Fault Isolation", Foundations and TrendsĀ® in Privacy and Security: Vol. 1: No. 3, pp 137-198. http://dx.doi.org/10.1561/3300000013

Publication Date: 24 Oct 2017
© 2017 G. Tan
 
Subjects
Language-based security and privacy,  System security,  Application security,  Programming Language Security
 

Free Preview:

Download extract

Share

Download article
In this article:
1. Introduction
2. The SFI Policy
3. SFI Enforcement
4. SFI Verification and Formalization
5. Future Directions
6. Going Beyond Fault Isolation
7. Conclusions
Acknowledgments
References

Abstract

When protecting a computer system, it is often necessary to isolate an untrusted component into a separate protection domain and provide only controlled interaction between the domain and the rest of the system. Software-based Fault Isolation (SFI) establishes a logical protection domain by inserting dynamic checks before memory and control-transfer instructions. Compared to other isolation mechanisms, it enjoys the benefits of high efficiency (with less than 5% performance overhead), being readily applicable to legacy native code, and not relying on special hardware or OS support. SFI has been successfully applied in many applications, including isolating OS kernel extensions, isolating plug-ins in browsers, and isolating native libraries in the Java Virtual Machine. In this survey article, we will discuss the SFI policy, its main implementation and optimization techniques, as well as an SFI formalization on an idealized assembly language.

DOI:10.1561/3300000013
ISBN: 978-1-68083-344-7
74 pp. $60.00
Buy book (pb)
 
ISBN: 978-1-68083-345-4
74 pp. $135.00
Buy E-book (.pdf)
Table of contents:
1. Introduction
2. The SFI Policy
3. SFI Enforcement
4. SFI Verification and Formalization
5. Future Directions
6. Going Beyond Fault Isolation
7. Conclusions
Acknowledgments
References

Principles and Implementation Techniques of Software-Based Fault Isolation

When protecting a computer system, it is often necessary to isolate an untrusted component into a separate protection domain and provide only controlled interaction between the domain and the rest of the system. Software-based Fault Isolation (SFI) establishes a logical protection domain by inserting dynamic checks before memory and control-transfer instructions. Compared to other isolation mechanisms, it enjoys the benefits of high efficiency (with less than 5% performance overhead), being readily applicable to legacy native code, and not relying on special hardware or OS support. SFI has been successfully applied in many applications, including isolating OS kernel extensions, isolating plug-ins in browsers, and isolating native libraries in the Java Virtual Machine.

This monograph discusses the SFI policy, its main implementation and optimization techniques, as well as an SFI formalization on an idealized assembly language. It concludes with a brief discussion on future research directions and a look at other properties that provide strong integrity and confidentiality guarantees on software systems.

 
SEC-013