University of Minnesota
Program Analysis for Security
index.php

Software-based fault isolation (SFI)

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. “Efficient software-based fault isolation”. In Symposium on Operating Systems Principles (SOSP), pages 203–216, Asheville, NC, USA, December 1993.
[ACM]

Stephen McCamant and Greg Morrisett. “Evaluating SFI for a CISC architecture”. In USENIX Security Symposium, pages 209–224, Vancouver, BC, Canada, August 2006.
[USENIX]

Question: We say that a programming language, instruction set, etc. is Turing complete if it has a rich enough behavior to simulate the behavior of a general-purpose programming language, or equivalently a Turing machine. (When using this concept in an applied context, we generally neglect the difference between the infinite tape of a Turing machine and the finite memory of real machines.) The simulation doesn't need to be at all practical, so a programming language can be very unusual or restricted and still be Turing-complete. The Wikipedia page on Turing completeness is a good starting point if you aren't already familiar with the concept. Turing completeness can serve as a reality-check for a programming model used in analysis; if a language is not Turing complete, it may be much easier to analyze that a real language.

Is the subset of x86 instructions used in the formal proof, shown in Figure 8 of the PittSFIeld paper, Turing-complete? Explain why or why not.

Historic

Peter Deutsch and Charles A. Grant. “A flexible measurement tool for software systems”. In IFIP Congress (1), pages 320–326, Ljubljana, Yugoslavia, August 1971.
Not available online

The oldest published system I'm aware of that used binary transformation to confine untrusted code. This system was less general than modern SFI because the code didn't support indirect jumps, but it runs into many of the same issues otherwise. (As a point of trivia, I believe the first author Peter Deutsch is the same L Peter Deutsch who was the original author of the open-source PostScript-compatible engine Ghostscript).

I have a scanned version of this paper that's on the Moodle.