USENIX Security'19 ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)

References:

Background

Intel MPK:

  • 4-bits permission bits in page table entry; 16 disjoint domains.
  • PKRU: 32-bit registers; 2-bits perms for each region.
  • 11-260 cycles to update PKRU.
    • 0.07 to 1.0% overhead per 100,000 switches/s on a 2.6 GHz CPU.
    • 4.8% overhead on NGINX when isolating all session keys

Legacy API

Memory Layout

Evaluation

SQLite, Node.js

OpenSSL: - 4.8% overhead on NGINX when isolating all session keys - up to 6.3x, 13.5x, and 3x lower than the overhead of SFI (with Intel MPX), lwCs, and Intel VT-x.

CPI

domain switch rates of the order of 10^5 or 10^6 times a second.

Use cases partition details:

  • OpenSSL: Isolating cryptographic keys in web services.

    • isolating long-term SSL keys –> less frequently
    • e.g., against Heartbleed bug.
    • isolating session keys –> over 10^6 times a second per core in a high throughput web server like NGINX.
    • session keys protect the confidentiality of individual users.
    • partitioned OpenSSL’s low-level crypto library (libcrypto) to isolate the session keys and basic crypto routines, which runs as T, from the rest of the web server, which runs as U.

  • Node.js: Native libraries in managed runtimes.

    • isolate Node.js from a native SQLite plugin(a third-party native library).
    • Node.js: a state-of-the-art managed runtime for JavaScript;
    • SQLite: a state-of-the-art database library written in C [^c1] [^c2].

More

Created Jul 17, 2021 // Last Updated Feb 8, 2023

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?