Computer Systems & Security Group, USTC

SecFFI: The Foreign Function Interface Security Project

Overview:

The foreign function interfaces (FFIs) are ubiquitous in many real-world programming languages and software systems, and are becoming indispensable components. For instance, Java introduces the Java Native Interfaces (JNIs) standards, Python introduces the Python/C API, and Julia introduces the ccall mechanism. FFIs bring many key advantages: first, it makes it easy to develop multilingual software components, by taking the full expressiveness of different languages; for instance, in software stack for deep learning, computation density components can be implemented more efficiently in C/C++ instead of Python; second, it makes it possible to reuse many existing software systems without reinventing the wheels; finally, FFIs make software development more modular.

Although FFIs are very important in multilingual systems, they bring grand challenges to guarantee the safety and security of such systems. Due to the intrinsic differences between different languages, such as the memory model, the data layout, the calling convention, the memory management, and the locking strategies, it is very challenging to write reliable multilingual software systems. Taking Python as an example, Python has built-in support for garbage collection, whereas C does not, so an object allocated in C has to be reclaimed manually. Failure to do so may lead to memory leaking. Worse yet, such kind of failures are rather tedious and error-prone to diagnose and rectify.

The goal of the SecFFI project is to investigate the security of the foreign function interfaces. To be specific, this project aims to:

  • perform thorough study on vulnerabilities of FFIs in the wild, and investigate the common bug patterns;
  • study effective techniques to fix FFI-related vulnerabilities automatically (APR);
  • develop practical software prototypes.
Publications:
  • Efficiency without Tears: Keeping Julia Safe with SAFEJ. [pdf]
    Hao Zhu, Baojian Hua, Xinrong Lin, Yufei Wu, and Qiliang Fan.
    Submitted. 2022.

  • On the Security of Python Virtual Machines: An Empirical Study. [pdf]
    Xinrong Lin, Baojian Hua, and Qiliang Fan.
    The 38th International Conference on Software Maintenance and Evolution (ICSME 2022). 2022.

  • PyGuard: Finding and Understanding Vulnerabilities in Python Virtual Machines. [pdf]
    Chengman Jiang, Baojian Hua, Wanrong Ouyang, Qiliang Fan, and Zhizhong Pan.
    The 32nd International Symposium on Software Reliability Engineering (ISSRE 2021). 2021.

  • RusBox: Towards Efficient and Adaptive Sandboxing for Rust. [pdf]
    Wanrong Ouyang, and Baojian Hua.
    The 32nd International Symposium on Software Reliability Engineering, Fast Abstract. (ISSRE 2021). 2021.

  • An Empirical Security Study of the Native Code in Python Virtual Machines. [pdf]
    Chengman Jiang, Baojian Hua, et al.
    Journal of Computer Science. 2021.

Members:
  • Qiliang Fan
  • Baojian Hua
  • Chengman Jiang
  • Xinrong Lin
  • Zhizhong Pan
  • Hao Zhu