
Vx32: Lightweight User-Level Sandboxing on the X86 (2008) - majke
http://pdos.csail.mit.edu/papers/vx32:usenix08/?
======
wslh
If you are interested in rapid sandboxing for Windows (yes, with support for
W10 and x86/x64), you can take a look at my company's open source libs:

\- [https://github.com/nektra/deviare2](https://github.com/nektra/deviare2)

\- [https://github.com/nektra/Deviare-
InProc/](https://github.com/nektra/Deviare-InProc/)

The first one is extremely easy to use and does a lot of work behind the
scenes. For example, Symantec use it for running legacy applications such as
Internet Explorer 6 in Windows 7.

They are not focused on the kind of security isolation of Vx32 but they work
in low privilege Windows processes.

------
nickpsecurity
It's an older work worth reading. Other methods have appeared since. BASS and
TxBox were interesting. Most have potential issues, though, as there's too
much risk in the mechanism. The strongest method is still to run the untrusted
code in a partition in a separation kernel with comms between trusted and
untrusted component using carefully-validated, easily-parsed messages.
Compromise gets the attacker stuck in the partition trying to feed attacks to
other components via malicious messages that good validation will catch. And
might be detected depending on how it's setup.

Open-source attempts for these constructions include KeyKOS, EROS, OKL4,
Fiasco.OC, seL4, JX w/ type safety, INTEGRITY-178B, and recently Muen sep
kernel. The model, implementation, and middleware levels vary with OKL4 having
a decent component framework. In case anyone asks, the advantage of these over
some extremely-clever, hypervisor stuff is (a) you don't need hypervisor
capabilities and (b) more clever = more problems found over time in most
cases.

Mikro-SINA VPN is nice, detailed example [http://genode-
labs.com/publications/mikro-sina-2005.pdf](http://genode-
labs.com/publications/mikro-sina-2005.pdf)

------
_wmd
This is a precursor to the original variant of Google's Native Client, which
also relied on 286-era segmentation registers that went away with amd64

~~~
majke
Native client is more of a browser plugin thing. VX32 is much more of a
reusable library for sandboxing.

I wish nacl API was as simple to use as vx32!

------
ori_b
Neat hack, but depends on quirks of 32 bit x86. It won't work on any other
platform.

~~~
amluto
On some AMD 64-bit processors, this can sort of work. See section 4.12.2
("Data Limit Checks in 64-bit Mode") in the APM.

------
kjs3
Russ Cox is a co-author. Probably should read this paper.

