Software libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with mainline Linux and does not require supervisor privileges to execute. We compartmentalize libraries into their own process with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependence Graph to track data flow between the program and the library during link time. We evaluate our open-source prototype against three popular libraries: Ghostscript, OpenSSL, and SQLite. Cali successfully reduced the amount of memory that is shared between the program and library to 0.08% (ImageMagick) - 0.4% (Socat), while retaining an acceptable program performance.
History
Preferred Citation
Markus Bauer and Christian Rossow. Cali: Compiler Assisted Library Isolation. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2021.
Primary Research Area
Threat Detection and Defenses
Name of Conference
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)
Legacy Posted Date
2021-03-05
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3382,
title = "Cali: Compiler Assisted Library Isolation",
author = "Bauer, Markus and Rossow, Christian",
booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}",
year="2021",
}