Byte Sfi

Reference:

  • Fast Byte-Granularity Software Fault Isolation. SOSP, 2009.

Byte Granularity Isolation (BGI) is implemented as a compiler plug-in that genrates instrumented code for kernel extenstions, and an interposition library that mediates communication between the extensions and the kernel.

  • BGI runs extensions in separate protection domains that share the same address space.
  • It associates an access control list (ACL) with each byte of virtual memory that lists the domains that can access the byte and how they can access it.
  • Access rights are granted and invoked by code inserted by our compiler and by the interposition library according to the semantics of the operation being invoked.

  • Protection is enforced by inline checks inserted by our compiler and by checks performed by the interposition library.

  • BGI also ensures type safety for kernel objects and it can detect common types of errors inside domains.

Evaluation

Created Oct 12, 2019 // Last Updated Jul 18, 2021

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?