Principles and Implementation Techniques of Software-Based Fault Isolation (Foundations and Trends(r) in Privacy and Security)
暫譯: 基於軟體的故障隔離原則與實作技術（隱私與安全的基礎與趨勢）

When protecting a computer system, it is often necessary to isolate an untrusted component into a separate protection domain and provide only controlled interaction between the domain and the rest of the system. Software-based Fault Isolation (SFI) establishes a logical protection domain by inserting dynamic checks before memory and control-transfer instructions. Compared to other isolation mechanisms, it enjoys the benefits of high efficiency (with less than 5% performance overhead), being readily applicable to legacy native code, and not relying on special hardware or OS support. SFI has been successfully applied in many applications, including isolating OS kernel extensions, isolating plug-ins in browsers, and isolating native libraries in the Java Virtual Machine.

This monograph discusses the SFI policy, its main implementation and optimization techniques, as well as an SFI formalization on an idealized assembly language. It concludes with a brief discussion on future research directions and a look at other properties that provide strong integrity and confidentiality guarantees on software systems.