Without further precautions, software libraries can freely access the program's entire address space, and also inherit its system-level privileges. This lack of separation regularly leads to security-critical incidents once libraries contain vulnerabilities or turn rogue. We present Cali, a compiler-assisted library isolation system that fully automatically shields a program from a given library. Cali is fully compatible with any mainline Linux kernel and does not require supervisor privileges to execute. We compartmentalize libraries into their own process and kernel namespace context with well-defined security policies. To preserve the functionality of the interactions between program and library, Cali uses a Program Dependency Graph to track data flow between the program and the library during link time.
Cali was presented in the AsiaCCS 2021 paper "Cali: Compiler Assisted Library Isolation" by Markus Bauer and Christian Rossow.
@inproceedings{Bauer2021Cali,
author = {Markus Bauer and Christian Rossow},
journal = {Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS '21)},
title = {Cali: Compiler Assisted Library Isolation},
year = {2021},
booktitle = {Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security},
series = {ASIA CCS '21},
publisher = {Association for Computing Machinery},
url = {https://publications.cispa.saarland/3382/},
doi = {10.1145/3433210.3453111},
keywords = {Library Isolation, Memory Isolation, Privilege Separation, Program Dependence Graph, Compiler, LLVM, Cali}
}
- Install Clang/LLVM 7, including
lld - Install (Ubuntu 18.04):
apt-get install -y systemtap-sdt-dev netsniff-ng libboost-filesystem1.65-dev libboost-system1.65-dev libnl-3-dev libnl-route-3-dev libnl-genl-3-dev libarchive-dev mkdir build ; cd buildcmake -DCMAKE_BUILD_TYPE=Release ..make -j4- To install, add
build/cali-linkerto your$PATH:ln -s $(pwd)/build/cali-linker/cali /usr/local/bin/ld.cali
Tested on Ubuntu 18.04. Other distributions might need adjustments.
- Configure your application build using LLVM/Clang 7 with LTO enabled, and verify that it compiles:
- Typical settings:
CC=clang,CXX=clang++,CFLAGS="-flto",CXXFLAGS="-flto",LDFLAGS="-flto" - Read the manual of your build system to set these parameters.
For automake you can use
export A=Bbefore calling./configure.
- Typical settings:
- Write a yaml policy that configures your protection. See cali-linker/sample_configs/config.all.yaml for possible options. The policy should specify all object files from your application, and possibly created static libraries. cali-linker/sample_configs contains examples.
- Add Cali to your build:
LDFLAGS=-fuse-ld=cali --cali-config=your_policy.yaml - Compile and test the final binary
- glibc-2.23, libipc and precompiled-libraries are licensed with GNU LGPL v2.1 (code from the GNU project and the Cali authors)
- libnsjail is licensed with Apache License 2.0 (code by Google, modified by the Cali authors)
- cali-linker is licensed with GNU GPL v3
- Cali contains code from the GNU libc project (malloc implementation in libipc).
- Cali contains a library version of Google's nsjail (in libnsjail).
- Our graph library is closely related to boost::graph