Evaluating SFI for a CISC Architecture

Download: PDF, PostScript.

“Evaluating SFI for a CISC Architecture” by Stephen McCamant and Greg Morrisett. In 15th USENIX Security Symposium, (Vancouver, BC, Canada), August 2-4, 2006, pp. 209-224.
A previous version appeared as “Efficient, verifiable binary sandboxing for a CISC architecture” by Stephen McCamant and Greg Morrisett. MIT Computer Science and Artificial Intelligence Laboratory technical report 2005-030, (Cambridge, MA), May 2005. (also MIT LCS TR #988).


Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing code except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21% on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property.

Download: PDF, PostScript.

BibTeX entry:

   author = {Stephen McCamant and Greg Morrisett},
   title = {Evaluating {SFI} for a {CISC} Architecture},
   booktitle = {15th USENIX Security Symposium},
   pages = {209--224},
   address = {Vancouver, BC, Canada},
   month = {August~2--4,},
   year = {2006}

(This webpage was created with bibtex2web.)

Back to Program Analysis Group publications.