RockSalt: Better, Faster, Stronger SFI for the x86

被引:81
作者
Morrisett, Greg [1 ]
Tan, Gang [2 ]
Tassarotti, Joseph [1 ]
Tristan, Jean-Baptiste [1 ]
Gan, Edward [1 ]
机构
[1] Harvard Univ, Cambridge, MA 02138 USA
[2] Lehigh Univ, Bethlehem, PA USA
来源
ACM SIGPLAN NOTICES | 2012年 / 47卷 / 06期
关键词
security; verification; software fault isolation; domain-specific languages; DERIVATIVES; SEMANTICS;
D O I
10.1145/2345156.2254111
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Software-based fault isolation (SFI), as used in Google's Native Client (NaCl), relies upon a conceptually simple machine-code analysis to enforce a security policy. But for complicated architectures such as the x86, it is all too easy to get the details of the analysis wrong. We have built a new checker that is smaller, faster, and has a much reduced trusted computing base when compared to Google's original analysis. The key to our approach is automatically generating the bulk of the analysis from a declarative description which we relate to a formal model of a subset of the x86 instruction set architecture. The x86 model, developed in Coq, is of independent interest and should be usable for a wide range of machine-level verification tasks.
引用
收藏
页码:395 / 404
页数:10
相关论文
共 36 条
[1]  
Alglave Jade, 2009, P 4 WORKSH DECL ASP, P13, DOI DOI 10.1145/1481839.1481842
[2]  
Almeida J. B., 2010, REVISED SELECTED PAP, P59
[3]  
[Anonymous], P 14 ACM S OP SYST P
[4]  
[Anonymous], 1989, COQ PROOF ASSISTANT
[5]  
Barthwal A, 2009, LECT NOTES COMPUT SC, V5502, P160, DOI 10.1007/978-3-642-00590-9_12
[6]   DERIVATIVES OF REGULAR EXPRESSIONS [J].
BRZOZOWSKI, JA .
JOURNAL OF THE ACM, 1964, 11 (04) :481-&
[7]   A Verified Compiler for an Impure Functional Language [J].
Chlipala, Adam .
ACM SIGPLAN NOTICES, 2010, 45 (01) :93-106
[8]  
Cock D., 2010, P 5 INT C SYST SOFTW, P6
[9]  
Cohen E, 2009, LECT NOTES COMPUT SC, V5674, P23, DOI 10.1007/978-3-642-03359-9_2
[10]  
Correnson L., WP PLUG IN MANUAL
1234