Sandboxing libraries in Chrome using SFI:
zlib proof-of-concept
Mark Seaborn
October 2013
Background
Proof of concept: zlib proxy
MinSFI: main ideas
MinSFI: other benefits over NaCl
Sandbox goals
1: Sandbox memory accesses
Constrain accesses to sandbox address space
Before:
int x = *ptr;
After:
// Bound (to 32 bits) and add base address�int x = (int *) (__sfi_sandbox_base + (uint32_t) ptr);
2. Global variables
Before:
int global1 = 123;
int global2 = 456;
int *get_global1() { return &global1; }
int *get_global2() { return &global2; }
After:
int __sfi_globals_template[] = { 123, 456, ... };
int *get_global1() { return (int *) 0x10000; }
int *get_global2() { return (int *) 0x10004; }
3: Stack-allocated variables
Handle “alloca”: address-taken local vars
Before:
void foo() {� int x = 1;� bar(&x);�}�
After:
char *STACK = 0x100000;�void foo() {� STACK -= 4;� int *x_addr = (int *) STACK;� *x_addr = 1;� bar(x_addr);� STACK += 4;�}
4. Sandbox indirect function calls
Before:
typedef int (*func_t)(void);
int apply(func_t f) {
return f();
}
After:
func_t __sfi_funcs[] = { ... };
int apply(func_t f) {
if ((unsigned) f >= ARRAY_SIZE(__sfi_funcs))) abort();
return __sfi_funcs[(unsigned) f]();
}
Proxy
MinSFI: Sources of overhead
MinSFI: To-do list
Possible uses
What’s easy to proxy?
What overheads are acceptable?
Source code