cispa_all_3382.pdf (735.84 kB)
Cali: Compiler Assisted Library Isolation
conference contribution
posted on 2023-11-29, 18:16 authored by Markus Bauer, Christian RossowChristian RossowSoftware libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with mainline Linux and does not require supervisor privileges to execute. We compartmentalize libraries into their own process with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependence Graph to track data flow between the program and the library during link time. We evaluate our open-source prototype against three popular libraries: Ghostscript, OpenSSL, and SQLite. Cali successfully reduced the amount of memory that is shared between the program and library to 0.08% (ImageMagick) - 0.4% (Socat), while retaining an acceptable program performance.
History
Preferred Citation
Markus Bauer and Christian Rossow. Cali: Compiler Assisted Library Isolation. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2021.Primary Research Area
- Threat Detection and Defenses
Name of Conference
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)Legacy Posted Date
2021-03-05Open Access Type
- Unknown
BibTeX
@inproceedings{cispa_all_3382, title = "Cali: Compiler Assisted Library Isolation", author = "Bauer, Markus and Rossow, Christian", booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}", year="2021", }Usage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC