Almost all SFI systems use heavyweight transitions that incur significant
performance overhead from saving and restoring registers when context switching
between application and sandbox code. We identify a set of zero-cost conditions
that characterize when sandboxed code is well-structured enough so that
security can be guaranteed via lightweight zero-cost transitions. We show that
using WebAssembly (Wasm) as an intermediate representation for low-level code
naturally results in a SFI transition system with zero-cost transitions, and
modify the Lucet Wasm compiler and its runtime to use zero-cost transitions.
Our modifications speed up font and image rendering in Firefox by up to 29.7%
and 10% respectively. We also describe a new purpose-built fast SFI system,
SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf
passes to enforce our zero-cost conditions. While this enforcement incurs some
runtime cost within the sandboxed code, we find that, on Firefox image and font
rendering benchmarks, the time saved per transition allows SegmentZero32 to
outperform even an idealized hardware isolation system where memory isolation
incurs zero performance overhead but the use of heavyweight transitions is
required.

By admin