IA^2: Intent-Capturing Annotations for Isolation and Assurance

Systems software can be tricked into performing unintended computation by feeding it carefully crafted inputs that corrupt and leak internal state. Modern software is so complex that implementation defects, some of which are exploitable, will only be discovered in the field. Operating systems isolate the state of each process such that a program experiencing an error does not bring down the entire system. There is no separation between libraries inside a single process, however. This has become a problem as applications grow more complex and defects in unrelated components can be combined freely into a weird machine performing unintended, malicious computations. As a result, several large applications have switched to a multi-process design. The idea is to reduce the “blast radius” of malicious inputs by i) processing untrusted inputs in a sandboxed process with few privileges and ii) performing privileged operations in a separate, higher privileged process. The application of multi-process designs is unfortunately limited by the substantial additional developer effort required to re-architect large and complex code bases such that costly inter-process interactions and marshaling of data does not lead to unacceptable slow downs. We propose an easy-to-use and efficient compartmentalization scheme that leverages a new memory management feature in x86 processors. The approach is easy to use because it does not require developers to split their application into multiple processes. Instead, programmers will use annotations to map libraries and executables to a set of compartments. When the application is built, we will automatically insert call gates on call edges that cross compartments thus reducing the programmer burden. Call gates implement compartment switches without assistance from the kernel and are therefore more efficient than full context switches from one process to another. Programmers are required to declare their intent to share certain data between compartments; this again requires less effort than marshaling data between processes. The compartmentalization substrate allocates data based on whether it is shared between compartments or private to a single compartment. We will provide tools that help programmers insert the necessary sharing annotations and diagnose segmentation faults triggered by accesses to the private memory of another compartment.   The proposed work builds on the encouraging results obtained during the Phase I effort. The experimental design of Phase I relied on a customized Rust compiler to compartmentalize applications. A major goal of Phase II is the ability to compartmentalize applications without the need to use a custom compartment-aware compiler to facilitate deployability. Other key improvements include the ability to support more compartmentalization models and deployments scenarios.