Joshua Kroll will present his research seminar/general exam on Friday May 13

at 10 AM in Room 302 (note room!).  The members of his committee are:  Ed

Felten 9advisor), Andrew Appel, and Mike Freedman.  Everyone is welcome to

attend his talk, and those faculty wishing to remain for the oral exam following

are welcome to do so.  His abstract and reading list follow below.

--------------------------------------

 

Title:

Portable, Verifiable Low-Level Memory Safety

 

Abstract

Operating systems can provide isolation between different programs

running on the same computer. How- ever, this protection is too coarse

or too slow for large applications with extensible functionality, such

as browsers, database and web servers, device drivers, and document

editors. It is thus necessary to have ro- bust, trustworthy

protections that are valid below the process abstraction provided by

the operating system. Here, we present two results in the area of

Software Fault Isolation (SFI), a mechanism for just this sort of

protection.

First, we present BakerSFIeld, an SFI framework [1, 2, 3] for the x64

instruction set architecture [4]. SFI is an increasingly widely-used

sub-process sandboxing technique in which applications are rewritten

using special code-generation tools and augmented with dynamic guards

that ensure policy compliance with minimal overhead. BakerSFIeld is

derived from PittSFIeld [2], and retains the assembly language

rewriting style of its predecessor. We measure the performance of

BakerSFIeld on a modern 64-bit desktop machine and determine that it

has significantly lower overhead than its 32-bit cousin.

But such a scheme is not useful for security unless we are sure that

its implementation can be trusted. Thus, we present a novel formally

verified sandboxing solution built on top of the CompCert C compiler

[9]. This tool generates sandboxed code by rewriting abstract syntax

inside CompCert to ensure that all generated code complies with the

sandboxing policy. Through a combination of static analysis and

dynamic checking, we provide code which is provably policy-compliant

at runtime but remains true to the SFI philosophy of

ensure-don't-check. As traditional SFI makes use of very concrete

aspects of a system's address structure for security, our most

surprising result is that an SFI system can also be implemented in

CompCert's more abstract setting.

 

Reading List-Papers

[1] R. Wahbe, S. Lucco, T. Anderson, and S. Graham, "Efficient

software-based fault isolation", in Proceedings of the Fourteenth

ACM symposium on Operating systems principles.        ACM, 1994, p. 216.

[2] S. McCamant and G. Morrisett, "Evaluating SFI for a CISC

architecture", in 15th USENIX Security Symposium, 2006, pp. 209-224.

[3] B. Yee, D. Sehr, G. Dardyk, J. Chen, R. Muth, T. Ormandy, S.

Okasaka, N. Narula, and N. Fullagar, "Native client: A sandbox for

portable, untrusted x86 native code", in Proceedings of the IEEE

Symposium on Security and Privacy, 2009.

[4] D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B.

Yee, and B. Chen. Adapting software fault isolation to contemporary

CPU architectures. In Proceedings of USENIX Security, pages 1-11,

2010.

[5] J.R. Douceur, J. Elson, J. Howell, and J.R. Lorch. Leveraging

legacy code to deploy desktop applications on the web. In Proceedings

of the 2008 Symposium on Operating System Design and Implementation,

December 2008.

[6] B.N. Bershad, S. Savage, P. Pardyak, E.G. Sirer, M.E. Fiuczynski,

D. Becker, C. Chambers, and S. Eggers. Extensibility safety and

performance in the SPIN operating system. In ACM SIGOPS Operating

Systems Review, volume 29, pages 267-283. ACM, 1995.

[7] G.C. Necula and P. Lee. Safe kernel extensions without run-time

checking. In Proceedings of the Second Symposium on Operating Systems

Design and Implementation. USENIX, 1996.

[8] Andrew W. Appel. Foundational proof-carrying code. In Proceedings

of the IEEE Symposium on Logic in Computer Science. IEEE Computer

Society, 2001.

[9] X. Leroy. A formally verified compiler back-end. Journal of

Automated Reasoning, 43(4):363-446, 2009.

[10] F.B. Schneider, G. Morrisett, and R. Harper. A Language-Based

Approach to Security. 2000.

 

Reading List-Textbooks

[1] Ross Anderson. Security Engineering: A Guide to Building

Dependable Distributed Systems, Second Edition. Wiley Publishing,

Inc., 2008.

[2] Benjamin C. Pierce. Types and Programming Languages. The MIT Press, 2002.