[LLVMdev] Secure Virtual Machine

Sandro Magi naasking at gmail.com
Thu Jun 7 10:05:48 PDT 2007


On 6/7/07, Nai XIA <nelson.xia at gmail.com> wrote:
> > Basically, if you want to be able to download and execute potentially
> > malicious code safely, no existing VM is sufficiently safe, since the
> > malicious code can still DoS the CPU and the memory subsystems. This
> > is because all VMs of which I'm aware provide insufficient resource
> > accounting; the only efforts to minimize these DoS opportunities are
> > CapROS/EROS and Coyotos secure operating systems (that I'm aware).
> > Secure mobile code will remain a pipe dream until such isolation is
> > addressed.
>
> Personally, I wonder it may be a little bit too early for LLVM to meet
> these fine-grained
> confinement problems before the SVA gets mature.

I'm not proposing a secure virtual machine for unsafe code (though I
did suggest that it could possibly be extended to unsafe code), I'm
suggesting extensions to handle this security hole for *safe* code. At
the moment, if I want to design a secure language and runtime like
Singularity, I can't build it on LLVM because I don't have sufficient
control over memory management and execution.

Actually, I probably can build Singularity on LLVM, but it's not at
all *straightforward* to do so; it involves allocating byte buffers
and manually managing them as a heap, transforming all functions to
explicitly pass around process state, and not using LLVM's allocation
routines, but using custom ones instead.

I would think LLVM would want to make this mapping a little simpler,
hence my proposal.

Sandro



More information about the llvm-dev mailing list