This is the top level repo for the paper "Isolation without Taxation: Near-Zero-Cost Transitions for WebAssembly and SFI" submitted to POPL 2022 in which we introduce the zerocost transitions. This repo will download and build all tools used in the paper, such as the multiple builds of firefox with sandboxed libraries, modified compilers, and the RLBox API.
lucet_sandbox_compiler - Lucet Wasm compiler (using the fork adapted for library sandboxign)
Sandboxing_NaCl - Nacl Sandboxing compiler that defaults to heavy transitions written in asm
rlbox_lucet_sandbox - RLBox sandboxing API plugin with lucet that uses zerocost transitions
zerocost_heavy_trampoline - Standalone heavyweight transitions written in asm used by other repos
zerocost_testing_sandbox - RLBox sandboxing API plugin with lucet that uses heavy transitions written in asm
rlbox_lucetstock_sandbox - RLBox sandboxing API plugin with lucet's default heavyweight transitions written in rust
rlbox_mpk_sandbox - RLBox sandboxing API plugin when sandboxing with an "ideal" sandbox and using heavyweight transitions written in asm
rlbox_segmentsfizerocost_sandbox - RLBox sandboxing API plugin when sandboxing with segmentzero sandboxing that uses zerocost transitions
rlbox_nacl_sandbox - RLBox sandboxing API plugin with Native Client and using heavyweight transitions written in asm
rlbox_sandboxing_api - RLBox sandboxing API
zerocost - libjpeg with different builds for lucet, nacl, segmentzero etc.
zerocost_testing_firefox - firefox with different builds for lucet, nacl, segmentzero etc.
web_resource_crawler - A firefox extension (needs Firefox 65+) that crawls the Alexa top 500, and collects information about the resources used on the web page.
rlbox_lucet_directcall_benchmarks - Microbenchmarks to compute the costs of direct calls vs indirect
zerocost_llvm - LLVM/Clang modified to support segmentzero
Requirements - This repo has been tested on Ubuntu 20 LTS. Additionally, the process sandbox build of Firefox assumes you are on a machine with at least 4 cores.
Note - Do not use an existing machine; our setup installs/modifies packages on the machine and has been well tested on a fresh Ubuntu Install. Use a fresh VM or machine.
Estimated build time: Less than 24 hours
To build the repo, run
# Need make to run the scripts
sudo apt-get install make
# This installs required packages on the system.
# Only need to run once per system.
make bootstrap
# load the changes
source ~/.profile
# Download all sub-repos and build the world
makeFor incremental builds after the first one, you can just use
makeAfter building the repo, you can reproduce the tests we perform in the RLBox paper as follows.
All benchmarks should be run in benchmark mode. Setup the benchmark mode (pin cpu frequencies, disable hyper-threading, pin benchmarks to CPU) as follows.
make shielding_on
# The above will spawn a subshell in your current terminal
# Run the following command in this subshell
make benchmark_env_setupSee the makefile on how to invoke specific benchmarks.
After the benchmark is complete, disable benchmark mode by
-
Close the terminal where you ran
make shielding on. You can do with Ctrl + D -
Run the following in a new terminal
make benchmark_env_closed