Skip to Main content Skip to Navigation
Conference papers

ISboxing: An Instruction Substitution Based Data Sandboxing for x86 Untrusted Libraries

Abstract : Dynamically-linked libraries are widely adopted in application programs to achieve extensibility. However, faults in untrusted libraries could allow an attacker to compromise both integrity and confidentiality of the host system (the main program and trusted libraries), as no protection boundaries are enforced between them. Previous systems address this issue through the technique named data sandboxing that relies on instrumentation to sandbox memory reads and writes in untrusted libraries. However, the instrumentation method causes relatively high overhead due to frequent memory reads in code.In this paper, we propose an efficient and practical data sandboxing approach (called ISboxing) on contemporary x86 platforms, which sandboxes a memory read/write by directly substituting it with a self-sandboxed and function-equivalent one. Our substitution-based method does not insert any additional instructions into library code and therefore incurs almost no measurable runtime overhead. Our experimental results show that ISboxing incurs only 0.32%/1.54% (average/max) overhead for SPECint2000 and 0.05%/0.24% (average/max) overhead for SFI benchmarks, which indicates a notable performance improvement on prior work.
Document type :
Conference papers
Complete list of metadata

Cited literature [28 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Wednesday, July 13, 2016 - 11:09:01 AM
Last modification on : Wednesday, July 13, 2016 - 11:18:41 AM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Liang Deng, Qingkai Zeng, Yao Liu. ISboxing: An Instruction Substitution Based Data Sandboxing for x86 Untrusted Libraries. 30th IFIP International Information Security Conference (SEC), May 2015, Hamburg, Germany. pp.386-400, ⟨10.1007/978-3-319-18467-8_26⟩. ⟨hal-01345130⟩



Record views


Files downloads