Pomegranate: A Lightweight Compartmentalization Architecture using Virtualization Extensions

TL;DR

Pomegranate is a virtualization-based framework that securely compartmentalizes existing systems with minimal modifications, enforcing access policies efficiently and demonstrating negligible overhead in Linux network stack experiments.

Contribution

It introduces a hardware-assisted virtualization approach for system compartmentalization that requires minimal source code changes and enforces policies efficiently.

Findings

Negligible overhead at MTU-sized packets when compartment boundaries are well-chosen.

Effective enforcement of access-control policies using Extended Page Tables.

Successful demonstration on a Linux network stack with minimal performance impact.

Abstract

The monolithic nature of widely used commodity operating systems means that vulnerabilities in one software component potentially compromise the entire kernel. Formally verifying these systems, or redesigning them altogether as microkernels, according to the principle of least privilege, requires significant effort. Researchers have therefore considered compartmentalization techniques that minimize or totally avoid changes to existing systems. However, current approaches use techniques such as Memory Protection Keys (MPKs), necessitating extensive code analysis to ensure security, or use virtualization by instrumenting the kernel with calls to the glue code that switches compartments. In this work, we present Pomegranate, a framework that uses hardware-assisted virtualization to securely compartmentalize an existing system with minimal to no modifications to its source code. Allowed interactions between compartments are defined using an access-control policy and strictly enforced using Extended Page Tables. Using special sentry functions, Pomegranate is able to check all cross-compartment transitions without trapping into the hypervisor. We demonstrate the efficacy of Pomegranate on a compartmentalized Linux network stack using the igc NIC driver. Experiments show the overheads of our approach are negligible at MTU-sized packets when compartment boundaries are carefully established to avoid excessive inter-compartment communication.