Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Learn about a novel software-based sandboxing system through this 17-minute conference talk from OSDI '25 that presents Deterministic Client (DeCl), a groundbreaking approach to enforcing deterministic behavior on untrusted machine code for both x86-64 and Arm64 architectures. Discover how researchers from Stanford University and Stellar Development Foundation have adapted Software Fault Isolation (SFI) techniques, traditionally used for memory isolation, to enforce the stronger property of determinism instead. Explore the implementation of a simple yet efficient machine code verifier that guarantees deterministic program behavior without relying on trusted compilers or interpreters, enabling the use of LLVM while maintaining a small trusted code base. Examine two efficient metering mechanisms designed for deterministic preemption of sandboxed programs and understand how DeCl can be combined with traditional software-based isolation by making sandboxed code position-oblivious. Analyze the system's ability to merge and enhance benefits from both interpreters and JIT compilers, achieving low CPU overhead, fast startup times, and strong security through a minimal trusted code base. Review comprehensive evaluations conducted on general-purpose CPU benchmarks and real-world applications, including integration with the Groundhog smart contract engine and zero-knowledge-proof verification systems.
