TME-Box: Scalable In-Process Isolation through Intel TME-MK Memory Encryption

TL;DR

TME-Box introduces a scalable, lightweight in-process isolation technique for cloud workloads on commodity x86 CPUs, leveraging Intel TME-MK encryption to enhance security without significant performance penalties.

Contribution

It repurposes Intel TME-MK for in-process sandboxing, enabling fine-grained, scalable memory isolation with minimal overhead on standard x86 hardware.

Findings

Supports up to 32K concurrent sandboxes.

Achieves around 5-10% performance overhead on SPEC CPU2017.

Provides cryptographic memory isolation with flexible data relocation.

Abstract

Efficient cloud computing relies on in-process isolation to optimize performance by running workloads within a single process. Without heavy-weight process isolation, memory safety errors pose a significant security threat by allowing an adversary to extract or corrupt the private data of other co-located tenants. Existing in-process isolation mechanisms are not suitable for modern cloud requirements, e.g., MPK's 16 protection domains are insufficient to isolate thousands of cloud workers per process. Consequently, cloud service providers have a strong need for lightweight in-process isolation on commodity x86 machines. This paper presents TME-Box, a novel isolation technique that enables fine-grained and scalable sandboxing on commodity x86 CPUs. By repurposing Intel TME-MK, which is intended for the encryption of virtual machines, TME-Box offers lightweight and efficient in-process isolation. TME-Box enforces that sandboxes use their designated encryption keys for memory interactions through compiler instrumentation. This cryptographic isolation enables fine-grained access control, from single cache lines to full pages, and supports flexible data relocation. In addition, the design of TME-Box allows the efficient isolation of up to 32K concurrent sandboxes. We present a performance-optimized TME-Box prototype, utilizing x86 segment-based addressing, that showcases geomean performance overheads of 5.2 % for data isolation and 9.7 % for code and data isolation, evaluated with the SPEC CPU2017 benchmark suite.