Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI
Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to building secure systems out of untrusted components. Mozilla, for example, uses SFI to harden the Firefox browser by sandboxing third-party libraries, and companies like Fastly and Cloudflare use SFI to safely c...
Gespeichert in:
| Veröffentlicht in: | Proceedings of ACM on programming languages 2022-01, Vol.6 (POPL), p.1-30 |
|---|---|
| Hauptverfasser: | , , , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 30 |
|---|---|
| container_issue | POPL |
| container_start_page | 1 |
| container_title | Proceedings of ACM on programming languages |
| container_volume | 6 |
| creator | Kolosick, Matthew Narayan, Shravan Johnson, Evan Watt, Conrad LeMay, Michael Garg, Deepak Jhala, Ranjit Stefan, Deian |
| description | Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to building secure systems out of untrusted components. Mozilla, for example, uses SFI to harden the Firefox browser by sandboxing third-party libraries, and companies like Fastly and Cloudflare use SFI to safely co-locate untrusted tenants on their edge clouds. While there have been significant efforts to optimize and verify SFI enforcement, context switching in SFI systems remains largely unexplored: almost all SFI systems use
heavyweight transitions
that are not only error-prone but incur significant performance overhead from saving, clearing, and restoring registers when context switching. We identify a set of
zero-cost conditions
that characterize when sandboxed code has sufficient structured to guarantee security via lightweight
zero-cost
transitions (simple function calls). We modify the Lucet Wasm compiler and its runtime to use zero-cost transitions, eliminating the undue performance tax on systems that rely on Lucet for sandboxing (e.g., we speed up image and font rendering in Firefox by up to 29.7% and 10% respectively). To remove the Lucet compiler and its correct implementation of the Wasm specification from the trusted computing base, we (1) develop a
static binary verifier
, VeriZero, which (in seconds) checks that binaries produced by Lucet satisfy our zero-cost conditions, and (2) prove the soundness of VeriZero by developing a logical relation that captures when a compiled Wasm function is semantically well-behaved with respect to our zero-cost conditions. Finally, we show that our model is useful beyond Wasm by describing a new, purpose-built SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions; our prototype performs on-par with the state-of-the-art Native Client SFI system. |
| doi_str_mv | 10.1145/3498688 |
| format | Article |
| fullrecord | <record><control><sourceid>crossref</sourceid><recordid>TN_cdi_crossref_primary_10_1145_3498688</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>10_1145_3498688</sourcerecordid><originalsourceid>FETCH-LOGICAL-c258t-986f82b89dd0f44b847a54b1fae246a124d17026634d55150dbd91c6688d4d1f3</originalsourceid><addsrcrecordid>eNpNkEFLxDAUhIMouKyLfyE3T9G85KVNvS2Lq4VFDyoeS9IkWOk2klR0_fV2dQ-eZpgPhveGkHPglwCoriRWutD6iMwElooBCjj-50_JIuc3zjlUErWsZuS-zrE3YxcH-tmNr_FjpKP5-g2u6eBNYt8-RdbGPIFkhtztUaYhJvri7TJnv7X9jprB0cd1fUZOgumzXxx0Tp7XN0-rO7Z5uK1Xyw1rhdIjm44MWlhdOccDotVYGoUWgvECCwMCHZRcFIVEpxQo7qyroC2m19yEgpyTi7_eNsWckw_Ne-q2Ju0a4M1-ieawhPwB0FlPjw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI</title><source>ACM Digital Library</source><source>Elektronische Zeitschriftenbibliothek - Frei zugängliche E-Journals</source><creator>Kolosick, Matthew ; Narayan, Shravan ; Johnson, Evan ; Watt, Conrad ; LeMay, Michael ; Garg, Deepak ; Jhala, Ranjit ; Stefan, Deian</creator><creatorcontrib>Kolosick, Matthew ; Narayan, Shravan ; Johnson, Evan ; Watt, Conrad ; LeMay, Michael ; Garg, Deepak ; Jhala, Ranjit ; Stefan, Deian</creatorcontrib><description>Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to building secure systems out of untrusted components. Mozilla, for example, uses SFI to harden the Firefox browser by sandboxing third-party libraries, and companies like Fastly and Cloudflare use SFI to safely co-locate untrusted tenants on their edge clouds. While there have been significant efforts to optimize and verify SFI enforcement, context switching in SFI systems remains largely unexplored: almost all SFI systems use
heavyweight transitions
that are not only error-prone but incur significant performance overhead from saving, clearing, and restoring registers when context switching. We identify a set of
zero-cost conditions
that characterize when sandboxed code has sufficient structured to guarantee security via lightweight
zero-cost
transitions (simple function calls). We modify the Lucet Wasm compiler and its runtime to use zero-cost transitions, eliminating the undue performance tax on systems that rely on Lucet for sandboxing (e.g., we speed up image and font rendering in Firefox by up to 29.7% and 10% respectively). To remove the Lucet compiler and its correct implementation of the Wasm specification from the trusted computing base, we (1) develop a
static binary verifier
, VeriZero, which (in seconds) checks that binaries produced by Lucet satisfy our zero-cost conditions, and (2) prove the soundness of VeriZero by developing a logical relation that captures when a compiled Wasm function is semantically well-behaved with respect to our zero-cost conditions. Finally, we show that our model is useful beyond Wasm by describing a new, purpose-built SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions; our prototype performs on-par with the state-of-the-art Native Client SFI system.</description><identifier>ISSN: 2475-1421</identifier><identifier>EISSN: 2475-1421</identifier><identifier>DOI: 10.1145/3498688</identifier><language>eng</language><ispartof>Proceedings of ACM on programming languages, 2022-01, Vol.6 (POPL), p.1-30</ispartof><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c258t-986f82b89dd0f44b847a54b1fae246a124d17026634d55150dbd91c6688d4d1f3</citedby><cites>FETCH-LOGICAL-c258t-986f82b89dd0f44b847a54b1fae246a124d17026634d55150dbd91c6688d4d1f3</cites><orcidid>0000-0001-6206-9642 ; 0000-0002-0888-3093</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,776,780,27901,27902</link.rule.ids></links><search><creatorcontrib>Kolosick, Matthew</creatorcontrib><creatorcontrib>Narayan, Shravan</creatorcontrib><creatorcontrib>Johnson, Evan</creatorcontrib><creatorcontrib>Watt, Conrad</creatorcontrib><creatorcontrib>LeMay, Michael</creatorcontrib><creatorcontrib>Garg, Deepak</creatorcontrib><creatorcontrib>Jhala, Ranjit</creatorcontrib><creatorcontrib>Stefan, Deian</creatorcontrib><title>Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI</title><title>Proceedings of ACM on programming languages</title><description>Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to building secure systems out of untrusted components. Mozilla, for example, uses SFI to harden the Firefox browser by sandboxing third-party libraries, and companies like Fastly and Cloudflare use SFI to safely co-locate untrusted tenants on their edge clouds. While there have been significant efforts to optimize and verify SFI enforcement, context switching in SFI systems remains largely unexplored: almost all SFI systems use
heavyweight transitions
that are not only error-prone but incur significant performance overhead from saving, clearing, and restoring registers when context switching. We identify a set of
zero-cost conditions
that characterize when sandboxed code has sufficient structured to guarantee security via lightweight
zero-cost
transitions (simple function calls). We modify the Lucet Wasm compiler and its runtime to use zero-cost transitions, eliminating the undue performance tax on systems that rely on Lucet for sandboxing (e.g., we speed up image and font rendering in Firefox by up to 29.7% and 10% respectively). To remove the Lucet compiler and its correct implementation of the Wasm specification from the trusted computing base, we (1) develop a
static binary verifier
, VeriZero, which (in seconds) checks that binaries produced by Lucet satisfy our zero-cost conditions, and (2) prove the soundness of VeriZero by developing a logical relation that captures when a compiled Wasm function is semantically well-behaved with respect to our zero-cost conditions. Finally, we show that our model is useful beyond Wasm by describing a new, purpose-built SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions; our prototype performs on-par with the state-of-the-art Native Client SFI system.</description><issn>2475-1421</issn><issn>2475-1421</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNpNkEFLxDAUhIMouKyLfyE3T9G85KVNvS2Lq4VFDyoeS9IkWOk2klR0_fV2dQ-eZpgPhveGkHPglwCoriRWutD6iMwElooBCjj-50_JIuc3zjlUErWsZuS-zrE3YxcH-tmNr_FjpKP5-g2u6eBNYt8-RdbGPIFkhtztUaYhJvri7TJnv7X9jprB0cd1fUZOgumzXxx0Tp7XN0-rO7Z5uK1Xyw1rhdIjm44MWlhdOccDotVYGoUWgvECCwMCHZRcFIVEpxQo7qyroC2m19yEgpyTi7_eNsWckw_Ne-q2Ju0a4M1-ieawhPwB0FlPjw</recordid><startdate>20220101</startdate><enddate>20220101</enddate><creator>Kolosick, Matthew</creator><creator>Narayan, Shravan</creator><creator>Johnson, Evan</creator><creator>Watt, Conrad</creator><creator>LeMay, Michael</creator><creator>Garg, Deepak</creator><creator>Jhala, Ranjit</creator><creator>Stefan, Deian</creator><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0001-6206-9642</orcidid><orcidid>https://orcid.org/0000-0002-0888-3093</orcidid></search><sort><creationdate>20220101</creationdate><title>Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI</title><author>Kolosick, Matthew ; Narayan, Shravan ; Johnson, Evan ; Watt, Conrad ; LeMay, Michael ; Garg, Deepak ; Jhala, Ranjit ; Stefan, Deian</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c258t-986f82b89dd0f44b847a54b1fae246a124d17026634d55150dbd91c6688d4d1f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Kolosick, Matthew</creatorcontrib><creatorcontrib>Narayan, Shravan</creatorcontrib><creatorcontrib>Johnson, Evan</creatorcontrib><creatorcontrib>Watt, Conrad</creatorcontrib><creatorcontrib>LeMay, Michael</creatorcontrib><creatorcontrib>Garg, Deepak</creatorcontrib><creatorcontrib>Jhala, Ranjit</creatorcontrib><creatorcontrib>Stefan, Deian</creatorcontrib><collection>CrossRef</collection><jtitle>Proceedings of ACM on programming languages</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Kolosick, Matthew</au><au>Narayan, Shravan</au><au>Johnson, Evan</au><au>Watt, Conrad</au><au>LeMay, Michael</au><au>Garg, Deepak</au><au>Jhala, Ranjit</au><au>Stefan, Deian</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI</atitle><jtitle>Proceedings of ACM on programming languages</jtitle><date>2022-01-01</date><risdate>2022</risdate><volume>6</volume><issue>POPL</issue><spage>1</spage><epage>30</epage><pages>1-30</pages><issn>2475-1421</issn><eissn>2475-1421</eissn><abstract>Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to building secure systems out of untrusted components. Mozilla, for example, uses SFI to harden the Firefox browser by sandboxing third-party libraries, and companies like Fastly and Cloudflare use SFI to safely co-locate untrusted tenants on their edge clouds. While there have been significant efforts to optimize and verify SFI enforcement, context switching in SFI systems remains largely unexplored: almost all SFI systems use
heavyweight transitions
that are not only error-prone but incur significant performance overhead from saving, clearing, and restoring registers when context switching. We identify a set of
zero-cost conditions
that characterize when sandboxed code has sufficient structured to guarantee security via lightweight
zero-cost
transitions (simple function calls). We modify the Lucet Wasm compiler and its runtime to use zero-cost transitions, eliminating the undue performance tax on systems that rely on Lucet for sandboxing (e.g., we speed up image and font rendering in Firefox by up to 29.7% and 10% respectively). To remove the Lucet compiler and its correct implementation of the Wasm specification from the trusted computing base, we (1) develop a
static binary verifier
, VeriZero, which (in seconds) checks that binaries produced by Lucet satisfy our zero-cost conditions, and (2) prove the soundness of VeriZero by developing a logical relation that captures when a compiled Wasm function is semantically well-behaved with respect to our zero-cost conditions. Finally, we show that our model is useful beyond Wasm by describing a new, purpose-built SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions; our prototype performs on-par with the state-of-the-art Native Client SFI system.</abstract><doi>10.1145/3498688</doi><tpages>30</tpages><orcidid>https://orcid.org/0000-0001-6206-9642</orcidid><orcidid>https://orcid.org/0000-0002-0888-3093</orcidid><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 2475-1421 |
| ispartof | Proceedings of ACM on programming languages, 2022-01, Vol.6 (POPL), p.1-30 |
| issn | 2475-1421 2475-1421 |
| language | eng |
| recordid | cdi_crossref_primary_10_1145_3498688 |
| source | ACM Digital Library; Elektronische Zeitschriftenbibliothek - Frei zugängliche E-Journals |
| title | Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-19T09%3A24%3A50IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-crossref&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Isolation%20without%20taxation:%20near-zero-cost%20transitions%20for%20WebAssembly%20and%20SFI&rft.jtitle=Proceedings%20of%20ACM%20on%20programming%20languages&rft.au=Kolosick,%20Matthew&rft.date=2022-01-01&rft.volume=6&rft.issue=POPL&rft.spage=1&rft.epage=30&rft.pages=1-30&rft.issn=2475-1421&rft.eissn=2475-1421&rft_id=info:doi/10.1145/3498688&rft_dat=%3Ccrossref%3E10_1145_3498688%3C/crossref%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |