(2021) Cali: Compiler Assisted Library Isolation.
|
Text
CALI_compiler_assisted_library_isolation.pdf Download (753kB) | Preview |
Abstract
Software libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with mainline Linux and does not require supervisor privileges to execute. We compartmentalize libraries into their own process with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependence Graph to track data flow between the program and the library during link time. We evaluate our open-source prototype against three popular libraries: Ghostscript, OpenSSL, and SQLite. Cali successfully reduced the amount of memory that is shared between the program and library to 0.08% (ImageMagick) - 0.4% (Socat), while retaining an acceptable program performance.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Uncontrolled Keywords: | Library Isolation, Memory Isolation, Privilege Separation, Program Dependence Graph, Compiler, LLVM, Cali |
| Divisions: | Christian Rossow (System Security Group, SysSec) |
| Conference: | ASIACCS ACM ASIA Conference on Computer and Communications Security |
| Depositing User: | Markus Bauer |
| Date Deposited: | 05 Mar 2021 11:38 |
| Last Modified: | 05 Mar 2021 12:16 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/3382 |
Actions
Actions (login required)
 |
View Item |