MiSFIT: A Freely Available Tool for Building Safe Extensible Systems

The boundary between application and system is becoming increasingly permeable. Extensible database systems, operating systems, and applications, such as web browsers, are demonstrating the value of allowing end-users to extend and modify the behavior of what formerly was considered to be a static, inviolate system. Unfortunately, flexibility often comes with a cost: systems unprotected from misbehaved end-user extensions are fragile and prone to instability. There are three common methods for making enduser extensions safe: restrict the extension language, interpret the extension language, or add run-time checks to binary code that ensure the safety of an otherwise unsafe program. The third technique, software fault isolation, offers the twin benefits of the performance of compiled code and the flexibility to choose an unsafe language, such as C or C++. MiSFIT, a tool for software fault isolation of x86 code, transforms unsafe C or C++ into safe binary code. The performance overhead of using MiSFIT to protect against stray writes and arbitrary function calls is low, on the order of ten percent.