Fidelius Charm: Isolating Unsafe Rust Code

Reference 1

Rust: memory safety is lost when any unsafe blocks are used.

Fedelius Charm(FC): limiting access to the program’s memory while executing unsafe libraries:

  • move sensitive program data to protected pages before entering unsafe code;
    • call userspace lib e.g. fc_immutable in which call system call mprotect to change page permission bits and switch to isolated mode;
  • allow unsafe code to run normally without modifications;
  • restore visibility of the protected state when unsafe code completes;
    • call userspace lib e.g. fc_normal to restore page permissions;
  • kernel-level monitor to ensure unsafe code cannot circumvent protections;
    • written in Rust;
    • maintain the secure compartments; mediates page permission;
    • separating user code section into two groups: 1. app code in Rust; 2. non-rust app code ;
    • app code in Rust can make mprotect calls to change page permissions;
    • non-Rust app code cannot change page perms of secure compartment pages via mprotect;
    • separating data section into two groups: 1. secure compartment; 2. exposed pages with r/w access.

Related work:

Shredsc7, lwCc14, SpaceJMPc12, provide thread-like abstractions for isolating memory. ==> requires some static analysis or special abstractions;

Codejailc29, provides a sandbox for unsafe libraries.

FC: reverse the sandbox model: isolating the a subset of the trusted region and providing the rest of the memory to the unsafe libraries.

Evaluation

Microbenchmarks

Rust’s benchmarking interface, plain openssl request & FC-ified openssl request.

Time to lanuch an openssl-based HTTP server and processing single client.

vmware Workstation VM, Ubuntu 15, four cores, 2 GB memory.

System Benchmarks

unsafe operations in TLS-based HTTP servers: use unsafe operations for invoking openssl operations, or make calls to Rust’s ring library, which in turn makes unsafe calls to cryptographic functions.

HTTP server. Four compartments.

128 simultaneous request threads; 5% decrease of number of requests processed in 60 seconds; 13.69% decrease if 50 calls to ring

16 simultaneous requests in 10 milliseconds, the average decrease is 8.30%.

  1. Hussain M.J. Almohri, and David Evans. Fidelius Charm: Isolating Unsafe Rust Code. CODASPY, 2018. ↩
Created Oct 13, 2019 // Last Updated Dec 19, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?