DASICS White Paper: Enhancing Memory Protection with Dynamic Compartmentalization

TL;DR

This paper introduces DASICS, a hardware-software co-designed secure processor that provides dynamic, flexible memory protection across privilege levels, addressing security vulnerabilities while maintaining efficiency.

Contribution

DASICS offers a novel hardware-based dynamic compartmentalization approach that improves security granularity and performance over traditional software methods.

Findings

Hardware FPGA prototypes demonstrate DASICS effectiveness.

Software QEMU simulation confirms adaptability.

Protective mechanisms successfully mitigate memory vulnerabilities.

Abstract

In the existing software development ecosystem, security issues introduced by third-party code cannot be overlooked. Among these security concerns, memory access vulnerabilities stand out prominently, leading to risks such as the theft or tampering of sensitive data. To address this issue, software-based defense mechanisms have been established at the programming language, compiler, and operating system levels. However, as a trade-off, these mechanisms significantly reduce software execution efficiency. Hardware-software co-design approaches have sought to either construct entirely isolated trusted execution environments or attempt to partition security domains within the same address space. While such approaches enhance efficiency compared to pure software methods, they also encounter challenges related to granularity of protection, performance overhead, and portability. In response to these challenges, we present the DASICS (Dynamic in-Address-Space Isolation by Code Segments) secure processor design, which offers dynamic and flexible security protection across multiple privilege levels, addressing data flow protection, control flow protection, and secure system calls. We have implemented hardware FPGA prototypes and software QEMU simulator prototypes based on DASICS, along with necessary modifications to system software for adaptability. We illustrate the protective mechanisms and effectiveness of DASICS with two practical examples and provide potential real-world use cases where DASICS could be applied.