Enforcing systems compartmentalization through hardware-software co-design
Event details
| Date | 16.08.2022 |
| Hour | 10:00 › 12:00 |
| Speaker | Andrés SÁNCHEZ MARÍN |
| Location | |
| Category | Conferences - Seminars |
EDIC candidacy exam
Exam president: Prof. Edouard Bugnion
Thesis advisor: Prof. Mathias Payer
Co-examiner: Prof. James Larus
Abstract
There is a lack of consolidation for a robust and efficient method that restricts a software system's vulnerability to trigger the whole system's security. A solution is to isolate potential compromised system components in compartments, trimming the vulnerabilities' effects to the compartment they belong to. Resulting isolation should be applicable at all sorts of granularity, embracing the hardware-provided capabilities and designing the resulting software by satisfying the hardware limitations.
In this work we explore the program's compartmentalization problem through three papers in two directions: the requirements to address effective division while minimizing its cost, and the analysis required when partitioning a program including how to pass data through compartment boundaries. Enclosure employs a generic programming language isolation policy under which the programmer has the power to determine the compartments. PtrSplit presents a policy at the language level with an implementation fulfilling the limitations of raw pointers. ERIM focuses on the switching mechanism and the mandatory code transformations to encompass it. We categorize the previous work's shortcomings and examine how to isolate process stack frames as a proof of concept of compartmentalization aided by hardware-software co-design.
Background papers
- Enclosure: language-based restriction of untrusted libraries:https://dl.acm.org/doi/10.1145/3445814.3446728
- PtrSplit: Supporting General Pointers in Automatic Program Partitioning: https://dl.acm.org/doi/10.1145/3133956.3134066
- ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK): https://www.usenix.org/system/files/sec19-vahldiek-oberwagner_0.pdf
Exam president: Prof. Edouard Bugnion
Thesis advisor: Prof. Mathias Payer
Co-examiner: Prof. James Larus
Abstract
There is a lack of consolidation for a robust and efficient method that restricts a software system's vulnerability to trigger the whole system's security. A solution is to isolate potential compromised system components in compartments, trimming the vulnerabilities' effects to the compartment they belong to. Resulting isolation should be applicable at all sorts of granularity, embracing the hardware-provided capabilities and designing the resulting software by satisfying the hardware limitations.
In this work we explore the program's compartmentalization problem through three papers in two directions: the requirements to address effective division while minimizing its cost, and the analysis required when partitioning a program including how to pass data through compartment boundaries. Enclosure employs a generic programming language isolation policy under which the programmer has the power to determine the compartments. PtrSplit presents a policy at the language level with an implementation fulfilling the limitations of raw pointers. ERIM focuses on the switching mechanism and the mandatory code transformations to encompass it. We categorize the previous work's shortcomings and examine how to isolate process stack frames as a proof of concept of compartmentalization aided by hardware-software co-design.
Background papers
- Enclosure: language-based restriction of untrusted libraries:https://dl.acm.org/doi/10.1145/3445814.3446728
- PtrSplit: Supporting General Pointers in Automatic Program Partitioning: https://dl.acm.org/doi/10.1145/3133956.3134066
- ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK): https://www.usenix.org/system/files/sec19-vahldiek-oberwagner_0.pdf
Practical information
- General public
- Free