Cali: Compiler Assisted Library Isolation

Bauer, Markus and Rossow, Christian
(2021) Cali: Compiler Assisted Library Isolation.
In: AsiaCCS 2021, 7-11 Jun 2021, Hong Kong, Hong Kong.
Conference: ASIACCS ACM ASIA Conference on Computer and Communications Security
(In Press)

[img]
Preview
Text
CALI_compiler_assisted_library_isolation.pdf

Download (753kB) | Preview

Abstract

Software libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with mainline Linux and does not require supervisor privileges to execute. We compartmentalize libraries into their own process with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependence Graph to track data flow between the program and the library during link time. We evaluate our open-source prototype against three popular libraries: Ghostscript, OpenSSL, and SQLite. Cali successfully reduced the amount of memory that is shared between the program and library to 0.08% (ImageMagick) - 0.4% (Socat), while retaining an acceptable program performance.

Actions

Actions (login required)

View Item View Item