Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFI

We introduce Hardware-assisted Fault Isolation (HFI), a simple extension to existing processors to support secure, flexible, and efficient in-process isolation. HFI addresses the limitations of existing software-based isolation (SFI) systems including: runtime overheads, limited scalability, vulnerability to Spectre attacks, and limited compatibility with existing code. HFI can seamlessly integrate with current SFI systems (e.g., WebAssembly), or directly sandbox unmodified native binaries. To ease adoption, HFI relies only on incremental changes to the data and control path of existing high-performance processors. We evaluate HFI for x86-64 using the gem5 simulator and compiler-based emulation on a mix of real and synthetic workloads.

[1]  Alexios Voulimeneas,et al.  You shall not (by)pass!: practical, secure, and fast PKU-based sandboxing , 2022, EuroSys.

[2]  Santosh Ghosh,et al.  Cryptographic Capability Computing , 2021, MICRO.

[3]  Michael LeMay,et al.  The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization , 2021, ArXiv.

[4]  Shravan Narayan,et al.  Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI , 2021, Proc. ACM Program. Lang..

[5]  Kyle C. Hale,et al.  Isolating functions at the hardware limit with virtines , 2021, EuroSys.

[6]  Ludmila Cherkasova,et al.  Sledge: a Serverless-first, Light-weight Wasm Runtime for the Edge , 2020, Middleware.

[7]  Nikos Nikoleris,et al.  The gem5 Simulator: Version 20.0+ , 2020, ArXiv.

[8]  Xiaoguang Wang,et al.  Secure and efficient in-process monitor (and library) protection with Intel MPK , 2020, EuroSec@EuroSys.

[9]  Stefan Lankes,et al.  Intra-unikernel isolation with Intel memory protection keys , 2020, VEE.

[10]  Sorin Lerner,et al.  Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version) , 2020, USENIX Security Symposium.

[11]  Peter Pietzuch,et al.  Faasm: Lightweight Isolation for Efficient Stateful Serverless Computing , 2020, USENIX Annual Technical Conference.

[12]  Josep Torrellas,et al.  Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data , 2019, IEEE Micro.

[13]  Ofir Weisse,et al.  NDA: Preventing Speculative Execution Attacks at Their Source , 2019, MICRO.

[14]  Peter G. Neumann,et al.  CHERI Concentrate: Practical Compressed Capabilities , 2019, IEEE Transactions on Computers.

[15]  Peter G. Neumann,et al.  CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment , 2019, ASPLOS.

[16]  Christof Fetzer,et al.  Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack , 2019, PERV.

[17]  Soyeon Park,et al.  libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK) , 2019, USENIX Annual Technical Conference.

[18]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[19]  Josep Torrellas,et al.  InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[20]  Ahmad-Reza Sadeghi,et al.  IMIX: In-Process Memory Isolation EXtension , 2018, USENIX Security Symposium.

[21]  Christof Fetzer,et al.  Intel MPX Explained , 2018, Proc. ACM Meas. Anal. Comput. Syst..

[22]  Christof Fetzer,et al.  Intel MPX Explained , 2018, PERV.

[23]  Brent Byunghoon Kang,et al.  Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 , 2018, CCS.

[24]  Gang Tan,et al.  Principles and Implementation Techniques of Software-Based Fault Isolation , 2017, Found. Trends Priv. Secur..

[25]  Hai Jin,et al.  Libsec: A Hardware Virtualization-Based Isolation for Shared Library , 2017, 2017 IEEE 19th International Conference on High Performance Computing and Communications; IEEE 15th International Conference on Smart City; IEEE 3rd International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[26]  Florian Schmidt,et al.  My VM is Lighter (and Safer) than your Container , 2017, SOSP.

[27]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[28]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[29]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[30]  Peter Druschel,et al.  Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[31]  Patrick Th. Eugster,et al.  Enforcing Least Privilege Memory Views for Multithreaded Applications , 2016, CCS.

[32]  Long Lu,et al.  Shreds: Fine-Grained Execution Units with Private Memory , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Gernot Heiser,et al.  L4 Microkernels: The Lessons from 20 Years of Research and Deployment , 2016, TOCS.

[34]  Colin J. Fidge,et al.  LibVM: an architecture for shared library sandboxing , 2015, Softw. Pract. Exp..

[35]  Yutao Liu,et al.  Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation , 2015, CCS.

[36]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[37]  Quan Chen,et al.  Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World , 2014, CCS.

[38]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[39]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[40]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[41]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[42]  Alex Garthwaite,et al.  The evolution of an x86 virtual machine monitor , 2010, OPSR.

[43]  Joe aRmstRonG,et al.  Erlang , 2010, Commun. ACM.

[44]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[45]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[46]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[47]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[48]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[49]  B. R. S. Buckingham,et al.  A hardware implementation of capability-based addressing , 1980, OPSR.

[50]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[51]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[52]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[53]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[54]  S. Mangard,et al.  Jenny: Securing Syscalls for PKU-based Memory Isolation Systems , 2022, USENIX Security Symposium.

[55]  Congyu Liu,et al.  μSwitch: Fast Kernel Context Isolation with Implicit Context Switches , 2023, 2023 IEEE Symposium on Security and Privacy (SP).

[56]  D. Gruss,et al.  Robust and Scalable Process Isolation Against Spectre in the Cloud , 2022, ESORICS.

[57]  Haibo Chen,et al.  EPK: Scalable and Efficient Memory Protection Keys , 2022, USENIX Annual Technical Conference.

[58]  S. Savage,et al.  Доверя'й, но проверя'й: SFI safety for native-compiled Wasm , 2021, NDSS.

[59]  Satish Narayanasamy,et al.  DOLMA: Securing Speculation with the Principle of Transient Non-Observability , 2021, USENIX Security Symposium.

[60]  Stefan Mangard,et al.  Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86 , 2020, USENIX Security Symposium.

[61]  Jared M. Smith,et al.  PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems , 2020, USENIX Security Symposium.

[62]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[63]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[64]  Robert Norton,et al.  Hardware support for compartmentalisation , 2016 .

[65]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .