![Page 1: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/1.jpg)
The Effect of Instruction Padding on SFI Overhead
Navid Emamdoost Stephen [email protected] [email protected]
![Page 2: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/2.jpg)
Software-based Fault Isolation●
○○○
●○○
2
Code Sandbox
Data Sandbox
Module A
Module B
![Page 3: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/3.jpg)
CISC Architectures●●●●
3
![Page 4: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/4.jpg)
Our Focus●
○
●○
○
○
○
○
4
![Page 5: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/5.jpg)
Unsafe Instructions●
○○
●○
○
5
![Page 6: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/6.jpg)
Unsafe Instructions●
○○
●○○
○○
6
![Page 7: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/7.jpg)
●●●
Alignment in NaCl
7
... 1060451: 83 c8 01 or $0x1,%eax 1060454: 88 41 28 mov %al,0x28(%ecx) 1060457: 8b 0e mov (%esi),%ecx 1060459: 8b 51 04 mov 0x4(%ecx),%edx 106045c: 85 d2 test %edx,%edx 106045e: 66 90 xchg %ax,%ax
1060460: 0f 88 9a 01 00 00 js 1060600 1060466: 8b 01 mov (%ecx),%eax 1060468: 8d 3c 95 00 00 00 00 lea 0x0(,%edx,4),%edi 106046f: 89 d6 mov %edx,%esi 1060471: 83 ea 01 sub $0x1,%edx 1060474: 83 e6 07 and $0x7,%esi 1060477: 83 fa ff cmp $0xffffffff,%edx 106047a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
1060480: c7 04 38 84 06 03 11 movl $0x11030684,(%eax,%edi,1) 1060487: 8d 47 fc lea -0x4(%edi),%eax 106048a: 0f 84 70 01 00 00 je 1060600
...
![Page 8: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/8.jpg)
●●
○
10ee700: 55 push %ebp 10ee701: 89 e5 mov %esp,%ebp 10ee703: 83 ec 18 sub $0x18,%esp 10ee706: c7 04 24 2c 5e 01 11 movl $0x11015e2c,(%esp) 10ee70d: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi 10ee714: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 10ee71b: e8 a0 72 f5 ff call 10459c0
10ee720: 89 ec mov %ebp,%esp 10ee722: 5d pop %ebp 10ee723: 59 pop %ecx 10ee724: 83 e1 e0 and $0xffffffe0,%ecx 10ee727: ff e1 jmp *%ecx
…
Alignment in NaCl
8
![Page 9: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/9.jpg)
Padding vs Performance●
○
○
○
●
9
![Page 10: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/10.jpg)
CBI NaCl●
○
○
●○
○
10
![Page 11: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/11.jpg)
Types of Padding●
○
●○
●○
11
![Page 12: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/12.jpg)
Types of Padding●
○
●○
●○
○
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
12
![Page 13: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/13.jpg)
Pad Removal (simplified)
13
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 14: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/14.jpg)
Pad Removal (simplified)
14
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 15: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/15.jpg)
Pad Removal (simplified)
15
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 16: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/16.jpg)
Pad Removal (simplified)
16
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 17: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/17.jpg)
Pad Removal (simplified)
17
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 18: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/18.jpg)
Pad Removal (simplified)
18
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 19: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/19.jpg)
Pad Removal (simplified)
19
cmp $0xffffffff,%edx 6 byte pad movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
cmp $0xffffffff,%edx movl $0x11030684,(%eax,%edi,1)... ...lea -0x4(%edi),%eax
![Page 20: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/20.jpg)
NaCl Validator●●●
○
●○
20
![Page 21: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/21.jpg)
●
Multipass Validator
21
... 1060451: 83 c8 01 or $0x1,%eax 1060454: 88 41 28 mov %al,0x28(%ecx) 1060457: 8b 0e mov (%esi),%ecx 1060459: 8b 51 04 mov 0x4(%ecx),%edx 106045c: 85 d2 test %edx,%edx 106045e: 66 90 xchg %ax,%ax
1060460: 0f 88 9a 01 00 00 js 1060600 1060466: 8b 01 mov (%ecx),%eax 1060468: 8d 3c 95 00 00 00 00 lea 0x0(,%edx,4),%edi 106046f: 89 d6 mov %edx,%esi 1060471: 83 ea 01 sub $0x1,%edx 1060474: 83 e6 07 and $0x7,%esi 1060477: 83 fa ff cmp $0xffffffff,%edx 106047a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
1060480: c7 04 38 84 06 03 11 movl $0x11030684,(%eax,%edi,1) 1060487: 8d 47 fc lea -0x4(%edi),%eax 106048a: 0f 84 70 01 00 00 je 1060600
...
![Page 22: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/22.jpg)
●●
○
○
Multipass Validator
22
... 1060451: 83 c8 01 or $0x1,%eax 1060454: 88 41 28 mov %al,0x28(%ecx) 1060457: 8b 0e mov (%esi),%ecx 1060459: 8b 51 04 mov 0x4(%ecx),%edx 106045c: 85 d2 test %edx,%edx 106045e: 66 90 xchg %ax,%ax
1060460: 0f 88 9a 01 00 00 js 1060600 1060466: 8b 01 mov (%ecx),%eax 1060468: 8d 3c 95 00 00 00 00 lea 0x0(,%edx,4),%edi 106046f: 89 d6 mov %edx,%esi 1060471: 83 ea 01 sub $0x1,%edx 1060474: 83 e6 07 and $0x7,%esi 1060477: 83 fa ff cmp $0xffffffff,%edx 106047a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
1060480: c7 04 38 84 06 03 11 movl $0x11030684,(%eax,%edi,1) 1060487: 8d 47 fc lea -0x4(%edi),%eax 106048a: 0f 84 70 01 00 00 je 1060600
...
![Page 23: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/23.jpg)
Multipass Validator Correctness●
○
○
●
●
23
![Page 24: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/24.jpg)
Proof of Correctness●
○
○
●●
○
○
■
○
24
![Page 25: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/25.jpg)
●○
○
○
Separate Compilation
25
.c Pad RemovalCompiler Assembler
.c Pad RemovalCompiler Assembler
Linker .nexe
![Page 26: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/26.jpg)
Relocations Problem
movl $0x11015e2c,(%esp) jmp LABEL1... ...lea -0x4(%edi),%eax
Linker
26
movl $0x11015e2c,(%esp) jmp 10459c0... ...lea -0x4(%edi),%eax
![Page 27: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/27.jpg)
Relocations Problem
movl $0x11015e2c,(%esp) jmp C3C3C3C3... ...lea -0x4(%edi),%eax
27
movl $0x11015e2c,(%esp) jmp C3C3C3C3... ...lea -0x4(%edi),%eax
Assembler
pad
movl $0x11015e2c,(%esp) jmp 10459c0... ...lea -0x4(%edi),%eaxpad
Linker
![Page 28: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/28.jpg)
More on compilation● 0xc3
○
○
●○
●○
28
![Page 29: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/29.jpg)
●66 89 81 9f 19 02 11 7f 99 e9 54 71 ff ff
●66 89 81 c3 c3 c3 c3 7f 99 e9 54 71 ff ff
Example
29
![Page 30: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/30.jpg)
●66 89 81 9f 19 02 11 7f 99 e9 54 71 ff ff
●66 89 81 c3 c3 c3 c3 7f 99 e9 54 71 ff ff
Example
30
104c53e: 66 89 81 9f 19 02 11 mov %ax,0x1102199f(%ecx) 104c545: 7f 99 jg 104c4e0 <Option+0x8ea0> 104c547: e9 54 71 ff ff jmp 10436a0 <Option+0x60>
1009a5e: 66 89 81 c3 c3 c3 c3 mov %ax,-0x3c3c3c3d(%ecx) 1009a65: 7f 99 jg 1009a00 <Option+0x8ea0> 1009a67: e9 54 71 ff ff jmp 1000bc0 <Option+0x60>
![Page 31: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/31.jpg)
Example●66 89 81 9f 19 02 11 7f 99 e9 54 71 ff ff
●66 89 81 c3 c3 c3 c3 7f 99 e9 54 71 ff ff
31
104c540: 81 9f 19 02 11 7f 99 sbbl $0x7154e999,0x7f110219(%edi) 104c547: e9 54 71 104c54a: ff (bad) 104c54b: ff .byte 0xff
1009a60: 81 c3 c3 c3 c3 7f add $0x7fc3c3c3,%ebx 1009a66: 99 cltd 1009a67: e9 54 71 ff ff jmp 0xffff7160
![Page 32: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/32.jpg)
●66 89 81 9f 19 02 11 7f 99 e9 54 71 ff ff
●66 89 81 c3 c3 c3 c3 7f 99 e9 54 71 ff ff
Example
32
1009a60: 81 c3 c3 c3 c3 7f add $0x7fc3c3c3,%ebx 1009a66: 99 cltd 1009a67: e9 54 71 ff ff jmp 0xffff7160
104c540: 81 9f 19 02 11 7f 99 sbbl $0x7154e999,0x7f110219(%edi) 104c547: e9 54 71 104c54a: ff (bad) 104c54b: ff .byte 0xff
● 9f c3 c3 c3
![Page 33: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/33.jpg)
Performance Evaluation●●
○
○
■
■
●●
33
![Page 34: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/34.jpg)
SPEC2000
34
![Page 35: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/35.jpg)
SPEC2006
35
![Page 36: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/36.jpg)
Number of instructions●●
○
○
●○
36
![Page 37: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/37.jpg)
Pad Removal Success
37
![Page 38: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/38.jpg)
On x64●●
○
○
○
●○
○
38
![Page 39: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/39.jpg)
Future Work●
●○
○
39
![Page 40: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/40.jpg)
Conclusion ●●●
○
●●●
○ https://www-users.cs.umn.edu/~emamd001/cbi-nacl.html
40
![Page 41: The Effect of Instruction Padding on SFI Overhead](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba2a2e1f2dd1ee83c972d/html5/thumbnails/41.jpg)
41