Memory Protection Keys

References:

Overview:

Up to 16 protection domains with 4-bit tag on each page:

  • Four (previously unused) bits in each page-table entry can be used to assign one of sixteen “key” values to any given page.
  • A new 32-bit processor register with two bits for each key value.
    • Setting “write disable” bit for a given key will block all attempts to write a page with that key value;
    • Setting “access disable” bit will block reads;
  • MPK feature thus allows a process to partition its memory into a maximum of sixteen regions and to selectively disable or enable access to any of those regions.
  • Note: tags on virtual memory.

APIs to use the hardware feature:

  • mprotect() with four new flags:
    • PROT_PKEY0PROT_PKEY3

Benefits:

  • Originally, changing the protections on a region of memory can require individually changing the page-table entries for thousands (or more) pages.
  • Now with MPK, once the protections keys are set, a region of memory can be enabled or disabled with a single register write. For any application that frequently changes the protections on regions of its address space, the performance improvement will be large.
    • Usage scenario 1: handling sensitive cryptographic data.
    • A network-facing daemon could use a cryptographic key to encrypt data to be sent over the wire, then disable access to the memory holding the key (and the plain-text data) before writing the data out. At that point, there is no way that the daemon can leak the key or the plain text over the wire;
    • Protecting sensitive data in this way might also make applications a bit more resistant to attack.
    • Usage scenario 2: protect regions of data from being corrupted by “stray” write operations.
    • An in-memory database could prevent writes to the actual data most of the time, enabling them only briefly when an actual change needs to be made.
    • In this way, database corruption due to bugs could be fended off, at least some of the time.
    • Being able to turn off unexpected writes (quickly in large scale) could be essential useful when the underlying memory is a persistent memory device;

More

Created Jul 7, 2021 // Last Updated Feb 8, 2023

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?