Software Fault Isolation (SFI) is an effective sandboxing technique that prevents potentially vulnerable code from impacting the rest of the system. SFI requires an effective Control Flow Integrity (CFI) mechanism to ensure the proper enforcement of isolation. However, existing SFI schemes often use coarse-grained CFI or assume sufficient CFI protection, lacking effective implementation and thorough evaluation of CFI. SFIs relying on hardware-assisted CFI are also constrained by platform-specific limitations. We propose an architecture-neutral SFI with fine-grained CFI, achieving run-time security for sandboxed programs at a 21.9% performance overhead, suitable for high-security scenarios such as confidential computing in IoT and cloud environments. Our approach enhances the isolation of confidential workloads while enabling attestable run-time security guarantees.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Att-SFI: Attestable Software Sandboxing with Control Flow Integrity

  • Wei Li,
  • Wei Feng,
  • Yu Qin,
  • Zeyu Gu

摘要

Software Fault Isolation (SFI) is an effective sandboxing technique that prevents potentially vulnerable code from impacting the rest of the system. SFI requires an effective Control Flow Integrity (CFI) mechanism to ensure the proper enforcement of isolation. However, existing SFI schemes often use coarse-grained CFI or assume sufficient CFI protection, lacking effective implementation and thorough evaluation of CFI. SFIs relying on hardware-assisted CFI are also constrained by platform-specific limitations. We propose an architecture-neutral SFI with fine-grained CFI, achieving run-time security for sandboxed programs at a 21.9% performance overhead, suitable for high-security scenarios such as confidential computing in IoT and cloud environments. Our approach enhances the isolation of confidential workloads while enabling attestable run-time security guarantees.