research-article

Sandcrust: Automatic Sandboxing of Unsafe Components in Rust

Authors:

Benjamin Lamowski,

Carsten Weinhold,

Adam Lackorzynski,

Hermann HärtigAuthors Info & Claims

PLOS '17: Proceedings of the 9th Workshop on Programming Languages and Operating Systems

Pages 51 - 57

https://doi.org/10.1145/3144555.3144562

Published: 28 October 2017 Publication History

Abstract

System-level development has been dominated by traditional programming languages such as C and C++ for decades. These languages are inherently unsafe regarding memory management. Even experienced developers make mistakes that open up security holes or compromise the safety properties of software. The Rust programming language is targeted at the systems domain and aims to eliminate memory-related programming errors by enforcing a strict memory model at the language and compiler level. Unfortunately, these compile-time guarantees no longer hold when a Rust program is linked against a library written in unsafe C, which is commonly required for functionality where an implementation in Rust is not yet available.

In this paper, we present Sandcrust, an easy-to-use sand-boxing solution for isolating code and data of a C library in a separate process. This isolation protects the Rust-based main program from any memory corruption caused by bugs in the unsafe library, which would otherwise invalidate the memory safety guarantees of Rust. Sandcrust is based on the Rust macro system and requires no modification to the compiler or runtime, but only straightforward annotation of functions that call the library's API.

References

[1]

Michael J. Accetta, Robert V. Baron, William J. Bolosky, David B. Golub, Richard F. Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A New Kernel Foundation for UNIX Development. In USENIX Summer. USENIX Association, 93--113.

[2]

Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI'08). USENIX Association, 309--322.

Digital Library

[3]

Ma Bo, Mu Dejun, Fan Wei, and Hu Wei. 2013. Improvements the Seccomp sandbox based on PBE theory. In Advanced Information Networking and Applications Workshops (WAINA), 2013 27th International Conference on. IEEE, 323--328.

Digital Library

[4]

David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). USENIX Association.

Digital Library

[5]

Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. 1996. A Secure Environment for Untrusted Helper Applications. In USENIX Security. USENIX Association.

[6]

Hermann Härtig, Michael Hohmuth, Norman Feske, Christian Helmuth, Adam Lackorzynski, Frank Mehnert, and Michael Peter. 2005. The Nizza secure-system architecture. In CollaborateCom.

[7]

Hermann Härtig, Michael Hohmuth, Jochen Liedtke, Sebastian Schönberg, and Jean Wolter. 1997. The Performance of μKernel-Based Systems. In SOSP. 66--77.

[8]

Poul-Henning Kamp and Robert NM Watson. 2000. Jails: Confining the omnipotent root. In Proceedings of the 2nd International SANE Conference, Vol. 43. 116.

[9]

Douglas Kilpatrick. 2003. Privman: A Library for Partitioning Applications. In USENIX Annual Technical Conference, FREENIX Track. USENIX, 273--284.

[10]

J. Liedtke. 1995. On Micro-kernel Construction. In Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles (SOSP '95). ACM, 237--250.

Digital Library

[11]

Andrew C Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 228--241.

Digital Library

[12]

Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. 12th USENIX Security Symposium (Aug. 2003), 11.

[13]

Charles Reis and Steven D. Gribble. 2009. Isolating Web Programs in Modern Browser Architectures. In Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys '09). ACM, 219--232.

Digital Library

[14]

J. H. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept. 1975), 1278--1308.

[15]

Richard Ta-Min, Lionel Litty, and David Lie. 2006. Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable. In OSDI, Brian N. Bershad and Jeffrey C. Mogul (Eds.). USENIX Association, 279--292.

[16]

A. van Dam, G. M. Stabler, and R. J. Harrington. 1974. Intelligent Satellites for Interactive Graphics. Proc. IEEE 62, 4 (April 1974), 483--492.

[17]

Robert NM Watson, Jonathan Woodruff, Peter G Neumann, Simon W Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, et al. 2015. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 20--37.

Digital Library

[18]

Carsten Weinhold and Hermann Härtig. 2008. VPFS: Building a Virtual Private File System with a Small Trusted Computing Base. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008 (Eurosys '08). ACM, 81--93.

Digital Library

[19]

Jonathan Woodruff, Robert NM Watson, David Chisnall, Simon W Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In Computer Architecture (ISCA), 2014 ACM/IEEE 41st International Symposium on. IEEE, 457--468.

Digital Library

[20]

Yongzheng Wu, Sai Sathyanarayan, Roland H. C. Yap, and Zhenkai Liang. 2012. Codejail: Application-Transparent Isolation of Libraries with Tight Program Interactions. In Computer Security -- ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings, Sara Foresti, Moti Yung, and Fabio Martinelli (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 859--876.

Cited By

Hassnain MStanford CFilkov VRay BZhou M(2024)Counterexamples in Safe RustProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694943(128-135)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694943
Sharma ASharma STanksalkar STorres-Arias SMachiry ALuo BLiao XXu JKirda ELie D(2024)Rust for Embedded Systems: Current State and Open ProblemsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690275(2296-2310)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690275
Min JYu DJeong SSong DJeon Y(2024)ERASan: Efficient Rust Address Sanitizer2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00258(4053-4068)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00258
Show More Cited By

Index Terms

Sandcrust: Automatic Sandboxing of Unsafe Components in Rust
1. Software and its engineering
  1. Software creation and management
    1. Software development techniques
      1. Reusability
  2. Software organization and properties
    1. Extra-functional properties
      1. Software reliability
      2. Software safety

Recommendations

Layout-sensitive language extensibility with SugarHaskell
Haskell '12: Proceedings of the 2012 Haskell Symposium

Programmers need convenient syntax to write elegant and concise programs. Consequently, the Haskell standard provides syntactic sugar for some scenarios (e.g., do notation for monadic code), authors of Haskell compilers provide syntactic sugar for more ...
Layout-sensitive language extensibility with SugarHaskell
Haskell '12

Programmers need convenient syntax to write elegant and concise programs. Consequently, the Haskell standard provides syntactic sugar for some scenarios (e.g., do notation for monadic code), authors of Haskell compilers provide syntactic sugar for more ...
Languages as libraries
PLDI '11

Programming language design benefits from constructs for extending the syntax and semantics of a host language. While C's string-based macros empower programmers to introduce notational shorthands, the parser-level macros of Lisp encourage ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLOS '17: Proceedings of the 9th Workshop on Programming Languages and Operating Systems

October 2017

62 pages

ISBN:9781450351539

DOI:10.1145/3144555

Program Chair:
Julia Lawall

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

SOSP '17

Sponsor:

SIGOPS
USENIX Assoc

SOSP '17: ACM SIGOPS 26th Symposium on Operating Systems Principles

October 28, 2017

Shanghai, China

Acceptance Rates

Overall Acceptance Rate 17 of 32 submissions, 53%

Upcoming Conference

SOSP '25

Sponsor:
sigops

ACM SIGOPS 31st Symposium on Operating Systems Principles

October 13 - 16, 2025

Seoul , Republic of Korea

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
684
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)7

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hassnain MStanford CFilkov VRay BZhou M(2024)Counterexamples in Safe RustProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694943(128-135)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694943
Sharma ASharma STanksalkar STorres-Arias SMachiry ALuo BLiao XXu JKirda ELie D(2024)Rust for Embedded Systems: Current State and Open ProblemsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690275(2296-2310)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690275
Min JYu DJeong SSong DJeon Y(2024)ERASan: Efficient Rust Address Sanitizer2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00258(4053-4068)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00258
Zhang CFeng YZhang YDai YXu B(2024)Beyond Memory Safety: an Empirical Study on Bugs and Fixes of Rust Programs2024 IEEE 24th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS62785.2024.00035(272-283)Online publication date: 1-Jul-2024
https://doi.org/10.1109/QRS62785.2024.00035
Bang IKayondo MMoon HPaek YCalandrino JTroncoso C(2023)TRUSTProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620626(6947-6964)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620626
Höltervennhoff SKlostermeyer PWöhler NAcar YFahl SCalandrino JTroncoso C(2023)"I wouldn't want my unsafe code to run my pacemaker"Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620378(2509-2525)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620378
Schuermann LThomas ALevy A(2023)Encapsulated Functions: Fortifying Rust's FFI in Embedded SystemsProceedings of the 1st Workshop on Kernel Isolation, Safety and Verification10.1145/3625275.3625397(41-48)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3625275.3625397
Hochrainer CKrall ADe Roover CRumpe BShaikhha A(2023)A pred-LL(*) Parsable Typed Higher-Order Macro System for Architecture Description LanguagesProceedings of the 22nd ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences10.1145/3624007.3624052(29-41)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3624007.3624052
Gonzalez AMvondo DBromberg Y(2023)Takeaways of Implementing a Native Rust UDP Tunneling Network Driver in the Linux KernelProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624547(18-25)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624547
Du YAlrawi OSnow KAntonakakis MMonrose FMeng WJensen CCremers CKirda E(2023)Improving Security Tasks Using Compiler Provenance Information Recovered At the Binary-LevelProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623098(2695-2709)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623098
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents