Isolation Without Taxation: Near Zero Cost Transitions for SFI

Almost all SFI systems use heavyweight transitions that incur significant performance overhead from saving and restoring registers when context switching between application and sandbox code. We identify a set of zero-cost conditions that characterize when sandboxed code is well-structured enough so that security can be guaranteed via lightweight zero-cost transitions. We show that using WebAssembly (Wasm) as an intermediate representation for low-level code naturally results in a SFI transition system with zero-cost transitions, and modify the Lucet Wasm compiler and its runtime to use zero-cost transitions. Our modifications speed up font and image rendering in Firefox by up to 29.7% and 10% respectively. We also describe a new purpose-built fast SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions. While this enforcement incurs some runtime cost within the sandboxed code, we find that, on Firefox image and font rendering benchmarks, the time saved per transition allows SegmentZero32 to outperform even an idealized hardware isolation system where memory isolation incurs zero performance overhead but the use of heavyweight transitions is required.