Google Research

Adapting Software Fault Isolation to Contemporary CPU Architectures

  • David Sehr
  • Robert Muth
  • Cliff L. Biffle
  • Victor Khimenko
  • Egor Pasko
  • Bennet Yee
  • Karl Schimpf
  • Brad Chen
19th USENIX Security Symposium, USENIX (2010), pp. 1-11


Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for workloads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.

Research Areas

Learn more about how we do research

We maintain a portfolio of research projects, providing individuals and teams the freedom to emphasize specific types of work