Fwd: [security-lunch] March 4 | Zachary Yedidia on "Lightweight Fault Isolation: From Research to Production Sandboxing"
0 views
Skip to first unread message
Alan Karp
6:39 PM (2 hours ago) 6:39 PM
to <friam@googlegroups.com>
--------------
Alan Karp
Alan Karp
---------- Forwarded message ---------
From: Michael Leo Paper via security-lunch <securit...@lists.stanford.edu>
Date: Tue, Mar 3, 2026 at 1:34 PM
Subject: [security-lunch] March 4 | Zachary Yedidia on "Lightweight Fault Isolation: From Research to Production Sandboxing"
To: securit...@lists.stanford.edu <securit...@lists.stanford.edu>
From: Michael Leo Paper via security-lunch <securit...@lists.stanford.edu>
Date: Tue, Mar 3, 2026 at 1:34 PM
Subject: [security-lunch] March 4 | Zachary Yedidia on "Lightweight Fault Isolation: From Research to Production Sandboxing"
To: securit...@lists.stanford.edu <securit...@lists.stanford.edu>
Security Lunch ⛄ Ed. — Wednesday, Mar 4th, 2026, 12:00 pm @ CoDa E160
Lightweight Fault Isolation: From Research to Production Sandboxing
Zachary Yedidia
Can't make it in person? Join us on
zoom.
See our past & upcoming events on our
website!
Abstract:
Software-based fault isolation (SFI) is a compiler-based technique for isolating untrusted code in-process, offering fast context switches and lightweight sandboxing without hardware privilege changes. Lightweight Fault Isolation (LFI) is a recent SFI system
I have been developing, designed to sandbox existing C/C++ libraries with minimal overhead on x86-64 and AArch64. LFI is now moving from research into production. The LFI compiler is being upstreamed into LLVM 23 starting in the AArch64 backend, with x86-64
to follow. It is planned to be deployed in Android in the media stack. Academic colleagues at UT Austin in collaboration with Mozilla are using it to sandbox SpiderMonkey, Firefox's JavaScript engine. Looking ahead, new hardware features offer a path towards
zero-overhead SFI: memory protection keys in the form of Intel MPK/Arm POE can provide memory isolation without any per-access instrumentation, and hardware CFI in the form of Intel CET can eliminate most control-flow overheads. In this talk, I'll describe
my experience in the tech transfer process, how LFI has evolved to support concrete use-cases, and where I think the field of sandboxing is headed.
Bio:
Zachary Yedidia is a 5th year PhD student advised by David Mazières.
security-lunch mailing list
securit...@lists.stanford.edu
https://mailman.stanford.edu/mailman/listinfo/security-lunch
Reply all
Reply to author
Forward
0 new messages