Efficient Software-Based Fault Isolation, SOSP 1993
Discussion lead: Dylan Johnson
How does SFI ensure that distrusted module code cannot edit data outside of its own fault domain? Name both methods and briefly describe how they work.
Often times we also want to protect against malicious modules (spyware and malware) and not just unstable ones. What does segment matching and sanboxing, as described in the paper, not protect against if we assume a module is malicious?
Imagine we are trying to sandbox an x86 binary where the untrusted module can jump to the middle of an instruction. Does this pose problems to the SFI techniques proposed in the paper?
Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).