We develop policies and invariants that apply broadly to systems. We use our policies to embrace known security principles and develop ways to systematically enforce them throught out designs, including Principle of Least Privilege, Separation of Privilege, and Complete Mediation. These policies can take whole classes of bugs or vulnerabilities off the table. This is in stark contrast to patches that fix individual instances of a bug.
Why is it even possible to overflow buffers, forge pointers, and overwrite data on the stack (including return addresses) in today's conventional systems?Conventional systems do not enforce the abstractions that programmers typically assume (such as memory safety, stack discipline) all the way down to the hardware instruction level. Enforcement would be expensive on top of legacy hardware designs, and the hardware isn’t given enough information to provide the enforcement. As a result, there is often a mismatch between the abstraction presented to the program (e.g. stacks, memory safety) and the ones supported and enforced by the hardware and runtime. Our policies allows us to define and enforce these abstractions and other useful security invariants such as memory safety, control-flow integrity, stack safety and integrity, information hiding, information flow, and interface abstractions; the policies work synergistically with our mechanisms to carry forward the necessary information and make enforcement inexpensive without disrupting conventional, instruction-level implementations.