Retrofitting Security, Module by Module
Software developers make pervasive use of third-party modules to reduce costs and accelerate release cycles, at a risk to safety and security. I will introduce a series of techniques that exploit module boundaries to automate software compartmentalization and enforce security policies, enhancing safety and security. BreakApp transparently spawns modules in compartments while preserving their original behavior. Iris leverages language-based protection to offer finer-grained control and lower performance overheads. Finally, Mir uses a constrained read-write-execute protection model and static language-level analysis to fully automate compartmentalization.