Skip to content

cali-library-isolation/Cali-library-isolation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
cali-linker
cali-linker
 
 
examples
examples
 
 
glibc-2.23
glibc-2.23
 
 
instrumentations
instrumentations
 
 
libipc
libipc
 
 
libnsjail
libnsjail
 
 
precompiled-libraries
precompiled-libraries
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CMakeLists.txt
CMakeLists.txt
 
 
HOWTO.md
HOWTO.md
 
 
README.md
README.md
 
 
pack.sh
pack.sh
 
 
patch-libtool.sh
patch-libtool.sh
 
 

Repository files navigation

Cali - Compiler Assisted Library Isolation

Without further precautions, software libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with any mainline Linux kernel and does not require supervisor privileges to execute. We compartmentalize libraries into their own process and kernel namespace context with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependency Graph to track data flow between the program and the library during link time.

Cali was presented in the AsiaCCS 2021 paper "Cali: Compiler Assisted Library Isolation" by Markus Bauer and Christian Rossow.

@inproceedings{Bauer2021Cali,
          author = {Markus Bauer and Christian Rossow},
         journal = {Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS '21)},
           title = {Cali: Compiler Assisted Library Isolation},
            year = {2021},
       booktitle = {Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security},
          series = {ASIA CCS '21},
       publisher = {Association for Computing Machinery},
             url = {https://publications.cispa.saarland/3382/},
             doi = {10.1145/3433210.3453111},
        keywords = {Library Isolation, Memory Isolation, Privilege Separation, Program Dependence Graph, Compiler, LLVM, Cali}
}

Build

  • Install Clang/LLVM 7, including lld
  • Install (Ubuntu 18.04): apt-get install -y systemtap-sdt-dev netsniff-ng libboost-filesystem1.65-dev libboost-system1.65-dev libnl-3-dev libnl-route-3-dev libnl-genl-3-dev libarchive-dev
  • mkdir build ; cd build
  • cmake -DCMAKE_BUILD_TYPE=Release ..
  • make -j4
  • To install, add build/cali-linker to your $PATH: ln -s $(pwd)/build/cali-linker/cali /usr/local/bin/ld.cali

Tested on Ubuntu 18.04. Other distributions might need adjustments.

How to use

  1. Configure your application build using LLVM/Clang 7 with LTO enabled, and verify that it compiles:
    • Typical settings: CC=clang, CXX=clang++, CFLAGS="-flto", CXXFLAGS="-flto", LDFLAGS="-flto"
    • Read the manual of your build system to set these parameters. For automake you can use export A=B before calling ./configure.
  2. Write a yaml policy that configures your protection. See cali-linker/sample_configs/config.all.yaml for possible options. The policy should specify all object files from your application, and possibly created static libraries. cali-linker/sample_configs contains examples.
  3. Add Cali to your build: LDFLAGS=-fuse-ld=cali --cali-config=your_policy.yaml
  4. Compile and test the final binary

License

Credits

  • Cali contains code from the GNU libc project (malloc implementation in libipc).
  • Cali contains a library version of Google's nsjail (in libnsjail).
  • Our graph library is closely related to boost::graph

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

16 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages