Adapting Software Fault Isolation to Contemporary CPU Architectures
Venue
19th USENIX Security Symposium, USENIX (2010), pp. 1-11
Publication Year
2010
Authors
David Sehr, Robert Muth, Cliff L. Biffle, Victor Khimenko, Egor Pasko, Bennet Yee, Karl Schimpf, Brad Chen
BibTeX
Abstract
Software Fault Isolation (SFI) is an effective approach to sandboxing binary code
of questionable provenance, an interesting use case for native plugins in a Web
browser. We present software fault isolation schemes for ARM and x86-64 that
provide control-flow and memory integrity with average performance overhead of
under 5% on ARM and 7% on x86-64. We believe these are the best known SFI
implementations for these architectures, with significantly lower overhead than
previous systems for similar architectures. Our experience suggests that these SFI
implementations benefit from instruction-level parallelism, and have particularly
small impact for workloads that are data memory-bound, both properties that tend to
reduce the impact of our SFI systems for future CPU implementations.
