We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.CR

Change to browse by:

cs

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Cryptography and Security

Title: Isolation Without Taxation: Near Zero Cost Transitions for SFI

Abstract: Almost all SFI systems use heavyweight transitions that incur significant performance overhead from saving and restoring registers when context switching between application and sandbox code. We identify a set of zero-cost conditions that characterize when sandboxed code is well-structured enough so that security can be guaranteed via lightweight zero-cost transitions. We show that using WebAssembly (Wasm) as an intermediate representation for low-level code naturally results in a SFI transition system with zero-cost transitions, and modify the Lucet Wasm compiler and its runtime to use zero-cost transitions. Our modifications speed up font and image rendering in Firefox by up to 29.7% and 10% respectively. We also describe a new purpose-built fast SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions. While this enforcement incurs some runtime cost within the sandboxed code, we find that, on Firefox image and font rendering benchmarks, the time saved per transition allows SegmentZero32 to outperform even an idealized hardware isolation system where memory isolation incurs zero performance overhead but the use of heavyweight transitions is required.
Subjects: Cryptography and Security (cs.CR)
Cite as: arXiv:2105.00033 [cs.CR]
  (or arXiv:2105.00033v1 [cs.CR] for this version)

Submission history

From: Matthew Kolosick [view email]
[v1] Fri, 30 Apr 2021 18:21:32 GMT (1847kb,D)

Link back to: arXiv, form interface, contact.