Domain Page-Table Isolation

TL;DR

This paper introduces Domain Page-Table Isolation (DPTI), a hardware-based security mechanism for commodity CPUs that enhances domain isolation through dynamic memory management techniques, improving security and performance in various scenarios.

Contribution

DPTI provides a novel, hardware-enforced, dynamic memory isolation method using memory freezing and stashing, applicable on standard CPUs without special hardware extensions.

Findings

DPTI enables faster syscall filtering with memory freezing and stashing.

DPTI improves enclave confinement performance by 14.6%-22%.

DPTI offers security guarantees comparable to hardware-based solutions.

Abstract

Modern applications often consist of different security domains that require isolation from each other. While several solutions exist, most of them rely on specialized hardware, hardware extensions, or require less-efficient software instrumentation of the application. In this paper, we propose Domain Page-Table Isolation (DPTI), a novel mechanism for hardware-enforced security domains that can be readily used on commodity off-the-shelf CPUs. DPTI uses two novel techniques for dynamic, time-limited changes to the memory isolation at security-critical points, called memory freezing and stashing. We demonstrate the versatility and efficacy of DPTI in two scenarios: First, DPTI freezes or stashes memory to support faster and more fine-grained syscall filtering than state-of-the-art seccomp-bpf. With the provided memory safety guarantees, DPTI can even securely support deep argument filtering, such as string comparisons. Second, DPTI freezes or stashes memory to efficiently confine potentially untrusted SGX enclaves, outperforming existing solutions by 14.6%-22% while providing the same security guarantees. Our results show that DPTI is a viable mechanism to isolate domains within applications using only existing mechanisms available on modern CPUs, without relying on special hardware instructions or extensions