Vx32: portable, efficient, safe

execution of untrusted x86 code

Bryan Ford

Russ Cox



Computer Science and Artificial Intelligence Laboratory

Massachusetts Institute of Technology

About

Vx32 is a user-mode library that can be linked into arbitrary applications that wish to create secure, isolated execution environments in which to run untrusted extensions or plug-ins implemented as native x86 code. Vx32 is similar in purpose to the Java or .NET virtual machines, but it runs native x86 code, so plug-ins can be written in ANY language, not just Java or C#.

Vx32 runs on unmodified x86 FreeBSD, Linux, and Mac OS X systems without special permissions, privileges, or kernel modules. It also runs on x86-64 Linux systems. Ports to x86-64 FreeBSD and Mac OS X should not be difficult. A port to Windows XP should also be possible.

Documentation

The USENIX 2008 paper “Vx32: Lightweight, User-level Sandboxing on the x86” explains how vx32 works and gives performance results for running various programs under vx32. Some programs even execute faster under vx32 than they do natively!

There are no manual pages for libvx32 yet. To get started writing new vx32 applications, the best idea is to look at the sample programs vxrun and vxlinux in the vx32 distribution, below.

Applications

Vx32 has been used to build a variety of interesting applications.

The first was VXA, a future-proof archive format that embeds x86 decompressors into archives so that they can be extracted in the future without needing to worry about whether the tools of the future know that particular compression algorithm. VXA runs decompressors safely and efficiently, using vx32. VXA is described in detail in the FAST 2005 paper “VXA: A Virtual Architecture for Durable Compressed Archives.”

Another is Chris Lesniewski-Laas's Alpaca, a proof-carrying authorization scheme based on an interpreted proof language. In Alpaca, high-level concepts such as X.509 certificates and RSA encryption are implemented in the proof language rather than taken as primitives, so that an Alpaca deployment can gracefully adapt when the world switches to new authentication mechanisms. While number theory-based algorithms like RSA are very efficient to specify in a mathematical language, iterative round-based hash functions like SHA1 or MD5 are not. Instead, Alpaca allows the introduction of new computations, using vx32 to execute untrusted x86 implementations safely and efficiently.

To run the SPEC CPU2006 benchmarks on a variety of systems, we used vx32 to write a tiny little user-level operating system that runs statically linked x86 ELF binaries and implements enough of a POSIX-like system call interface to handle the variety of SPEC programs. This program, called vxrun, could be adapted to create a specialized execution environment that presented a portable interface no matter what the host operating system. It would be ideal for implementing secure distributed computations in a SETI @Home kind of setting. Vxrun is described briefly in the USENIX paper and is included in the libvx32 distribution below.

Inspired by writing a fake operating system, we decided to port a real one. Plan 9 VX (aka 9vx) is a port of the Plan 9 kernel to user-level mode on Linux, FreeBSD, and OS X. 9vx runs unmodified x86 Plan 9 binaries by invoking vx32 to simulate user-mode execution. It implements all the standard low-level operating system features—processes, shared memory, demand paging, preemptive scheduling—using standard OS interfaces like mmap, setitimer, and sigaction, with a healthy dose of vx32 to provide the user-mode execution that ties everything together.

Source Code

Latest version

This is the most recent version of libvx32. It also includes source code for vxrun and 9vx. If you just want to try 9vx, see the binary distribution here.

Vx32 is also available via Mercurial:

hg clone http://hg.pdos.csail.mit.edu/hg/vx32/

Changes to vx32 since version 0.10 are documented in the mercurial change history.

VXA and Alpaca are available as part of UIA, the Unmanaged Internet Architecture. They build against an older version of the vx32 library, also included in UIA. That version approximately matches vx32-0.01 below. They have not yet been converted to the new interface.

Older versions, for reference only:

vx32-0.02.tar.bz2 (used for USENIX 2008 paper)

vx32-0.01.tar.bz2 (used for FAST 2005 paper)

Cross compilers

Libvx32 is an x86 execution library. It doesn't require a particular binary format, but it does provide a simple interface for loading ELF binaries if you care to use ELF. VXA, Alpaca, and vxrun all expect ELF binaries. We have prepared a version of the gcc toolchain that generates ELF binaries compatible with vx32. On x86 ELF systems like Linux and FreeBSD, you can usually get by with the host compilers. On non-ELF systems like OS X, you will need to build the cross-compiler toolchain to generate ELF binaries.

To build the compilers:

cd binutils-2.18-vx32 ./configure --target=vx32 make make install cd gcc-4.1.2-vx32 ./configure --enable-languages=c --disable-libssp --target=vx32 make make install

Pre-built binaries are also available:

The binaries were compiled in the vx32-0.01 days. They should still work with newer vx32's, but we haven't tried them recently.

Licenses

Libvx32 itself is made available under the terms of the Lesser GNU Public License (LGPL). The sample programs and supporting C library are made available under a traditional MIT license. 9vx, because it is derived from Plan 9, is made available under the terms of the Lucent Public License 1.02. The source code archive contains more details.

Warning!

Vx32 is a stable research prototype, but it has not been through any formal security audits or any other verification. Such a review would be essential before trusting vx32 to handle malicious code in the wild. USE AT YOUR OWN RISK!

Contact Info

Feel free to contact Bryan Ford (baford (at) mit (dot) edu) and Russ Cox (rsc (at) swtch (dot) com) with questions, comments, and improvements.