The applications we use today are developed as a combination of first-party code and code borrowed from third-parties. This has allowed developers to build large applications with rich feature sets. Unfortunately, when we borrow code we don’t just borrow its functionality, we also inherit its bugs. These bugs are particularly serious for systems like browsers that are written in C and C++ as they are often memory safety bugs. In the last decade, security researchers have disclosed numerous instances of memory safety bugs in third-party code being targeted by attackers to compromise systems ranging from browsers to messaging clients.
The most pragmatic way to prevent such attacks is to sandbox this third-party code, i.e., confine the code to its own region of memory, separate from the rest of the application. This is an old idea. Alas, it has only seen limited adoption; sandboxing today is only used to limit the damage of bugs in a handful of applications like OpenSSH and browsers; it has never been used to sandbox third-party code.
In this dissertation, we bridge this gap with an end-to-end framework to sandbox third-party code. This required addressing challenges on three fronts: engineering, security, and performance. On the engineering front, we needed to simplify the retrofitting of sandboxing in existing applications; to address this, we built RLBox, a type-driven framework that helps developers incrementally adopt sandboxing. On the security front, we needed to ensure that the sandboxing tools we use provide reliable security guarantees; to address this, we built VeriWasm, a validator that ensures bugs in sandboxing tools do not break sandboxing, and Swivel, a compiler that hardens sandboxing against Spectre—transient execution attacks which exploit the underlying hardware to break sandboxing. On the performance front, we needed to minimize the overheads of sandboxing, specifically, the overheads of an application switching to and from sandboxed code; to address this, we built Zero-Cost, a compiler pass that eliminates all transition costs between applications and sandboxed code.
Our work demonstrates that sandboxing is an effective way to secure today’s applications from bugs in third-party code.