research-article

Cali: Compiler-Assisted Library Isolation

Authors:

Markus Bauer,

Christian RossowAuthors Info & Claims

ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Pages 550 - 564

https://doi.org/10.1145/3433210.3453111

Published: 04 June 2021 Publication History

Get Access

Abstract

Software libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with mainline Linux and does not require supervisor privileges to execute. We compartmentalize libraries into their own process with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependence Graph to track data flow between the program and the library during link time. We evaluate our open-source prototype against three popular libraries: Ghostscript, OpenSSL, and SQLite. Cali successfully reduced the amount of memory that is shared between the program and library to 0.08% (ImageMagick) - 0.4% (Socat), while retaining an acceptable program performance.

Supplementary Material

MP4 File (ASIA-CCS21-fp248.mp4)

Software libraries can freely access the program?s entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. In this talk we present Cali, a compiler assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with mainline Linux and does not require supervisor privileges to execute. We compartmentalize libraries into their own process with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Data Dependence Graph to track data flow between the program and the library during link time. Cali is almost fully automated, even developers that are not familiar with tool and program can isolate libraries in less than 45 minutes, making library isolation available to the masses.

Download
133.68 MB

References

[1]

Bill Allombert. 2020. Debian Popularity Contest. https://popcon.debian.org/stable/by_vote

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane

S2H: Hypervisor as a setter within Virtualized Network I/O for VM isolation on cloud platform

Hardware-assisted protection and isolation

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations