Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM Architectures (Extended Version)

TL;DR

Capacity introduces a hardware-assisted, capability-based in-process access control scheme for ARM architectures, leveraging features like Pointer Authentication and Memory Tagging Extension to enhance security with minimal performance overhead.

Contribution

The paper presents Capacity, a novel approach that retrofits ARM hardware features to implement cryptographically-enforced in-process capabilities, filling a gap left by x86-specific features.

Findings

Capacity achieves low overhead (~17%) in web server benchmarks.

It effectively isolates sensitive resources within in-process domains.

The scheme enhances security by cryptographically authenticating references.

Abstract

In-process compartmentalization and access control have been actively explored to provide in-place and efficient isolation of in-process security domains. Many works have proposed compartmentalization schemes that leverage hardware features, most notably using the new page-based memory isolation feature called Protection Keys for Userspace (PKU) on x86. Unfortunately, the modern ARM architecture does not have an equivalent feature. Instead, newer ARM architectures introduced Pointer Authentication (PA) and Memory Tagging Extension (MTE), adapting the reference validation model for memory safety and runtime exploit mitigation. We argue that those features have been underexplored in the context of compartmentalization and that they can be retrofitted to implement a capability-based in-process access control scheme. This paper presents Capacity, a novel hardware-assisted intra-process access control design that embraces capability-based security principles. Capacity coherently incorporates the new hardware security features on ARM that already exhibit inherent characteristics of capability. It supports the life-cycle protection of the domain's sensitive objects -- starting from their import from the file system to their place in memory. With intra-process domains authenticated with unique PA keys, Capacity transforms file descriptors and memory pointers into cryptographically-authenticated references and completely mediates reference usage with its program instrumentation framework and an efficient system call monitor. We evaluate our Capacity-enabled NGINX web server prototype and other common applications in which sensitive resources are isolated into different domains. Our evaluation shows that Capacity incurs a low-performance overhead of approximately 17% for the single-threaded and 13.54% for the multi-threaded webserver.