Safe Loading - A Foundation for Secure Execution of Untrusted Programs

The standard loader (ld.so) is a common target of attacks. The loader is a trusted component of the application, and faults in the loader are problematic, e.g., they may lead to local privilege escalation for SUID binaries. Software-based fault isolation (SFI) provides a framework to execute arbitrary code while protecting the host system. A problem of current approaches to SFI is that fault isolation is decoupled from the dynamic loader, which is treated as a black box. The sandbox has no information about the (expected) execution behavior of the application and the connections between different shared objects. As a consequence, SFI is limited in its ability to identify devious application behavior. This paper presents a new approach to run untrusted code in a user-space sandbox. The approach replaces the standard loader with a security-aware trusted loader. The secure loader and the sandbox together cooperate to allow controlled execution of untrusted programs. A secure loader makes security a first class concept and ensures that the SFI system does not allow any unchecked code to be executed. The user-space sandbox builds on the secure loader and subsequently dynamically checks for malicious code and ensures that all control flow instructions of the application adhere to an execution model. The combination of the secure loader and the user-space sandbox enables the safe execution of untrusted code in user-space. Code injection attacks are stopped before any unintended code is executed. Furthermore, additional information provided by the loader can be used to support additional security properties, e.g., in lining of Procedure Linkage Table calls reduces the number of indirect control flow transfers and therefore limits jump-oriented attacks. This approach implements a secure platform for privileged applications and applications reachable over the network that anticipates and confines security threats from the beginning.