ERIM: Secure, Efficient In-process Isolation with Memory Protection Keys   (MPK)

Anjo Vahldiek-Oberwagner; Eslam Elnikety; Nuno O. Duarte; Michael; Sammler; Peter Druschel; Deepak Garg

arXiv:1801.06822·cs.CR·June 5, 2019

ERIM: Secure, Efficient In-process Isolation with Memory Protection Keys (MPK)

Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael, Sammler, Peter Druschel, Deepak Garg

PDF

Open Access 1 Repo

TL;DR

ERIM introduces a hardware-enforced isolation technique on x86 CPUs using memory protection keys, enabling low-overhead, high-frequency domain switching for secure applications without requiring kernel modifications.

Contribution

The paper presents ERIM, a novel approach combining x86 protection keys with binary inspection to achieve efficient, secure in-process isolation at high switching rates.

Findings

01

Overhead is less than 1% at 100,000 switches per second

02

Applicable to existing applications without compiler changes

03

Operates on stock Linux kernels with minimal effort

Abstract

Isolating sensitive state and data can increase the security and robustness of many applications. Examples include protecting cryptographic keys against exploits like OpenSSL's Heartbleed bug or protecting a language runtime from native libraries written in unsafe languages. When runtime references across isolation boundaries occur relatively infrequently, then conventional page-based hardware isolation can be used, because the cost of kernel- or hypervisor-mediated domain switching is tolerable. However, some applications, such as the isolation of cryptographic session keys in network-facing services, require very frequent domain switching. In such applications, the overhead of kernel- or hypervisor-mediated domain switching is prohibitive. In this paper, we present ERIM, a novel technique that provides hardware-enforced isolation with low overhead on x86 CPUs, even at high switching…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Repositories

https://gitlab.mpi-sws.org/vahldiek/erim
noneOfficial

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Diamond and Carbon-based Materials Research