Garmr: Defending the gates of PKU-based sandboxing

TL;DR

Garmr is a novel PKU-based sandboxing framework that enhances memory isolation by addressing limitations of existing schemes, demonstrated through practical attacks and evaluations.

Contribution

This paper introduces Garmr, a new PKU-based sandboxing framework that overcomes limitations of prior schemes and improves security and practicality.

Findings

Garmr successfully defends against proof-of-concept attacks.

Garmr is practical and efficient in real-world scenarios.

Existing PKU-based schemes have vulnerabilities that Garmr addresses.

Abstract

Memory Protection Keys for Userspace (PKU) is a recent hardware feature that allows programs to assign virtual memory pages to protection domains, and to change domain access permissions using inexpensive, unprivileged instructions. Several in-process memory isolation approaches leverage this feature to prevent untrusted code from accessing sensitive program state and data. Typically, PKU-based isolation schemes need to be used in conjunction with mitigations such as CFI because untrusted code, when compromised, can otherwise bypass the PKU access permissions using unprivileged instructions or operating system APIs. Recently, researchers proposed fully self-contained PKUbased memory isolation schemes that do not rely on other mitigations. These systems use exploit-proof call gates to transfer control between trusted and untrusted code, as well as a sandbox that prevents tampering with the PKU infrastructure from untrusted code. In this paper, we show that these solutions are not complete. We first develop two proof-of-concept attacks against a state-of-the-art PKU-based memory isolation scheme. We then present Garmr, a PKU-based sandboxing framework that can overcome limitations of existing sandboxes. We apply Garmr to several memory isolation schemes and show that it is practical, efficient and secure.