Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86

Efficient and secure in-process isolation is in great demand, as evidenced in the shift towards JavaScript and the recent revival of memory protection keys. Yet, state-of-the-art systems do not offer strong security or struggle with frequent domain crossings and oftentimes intrusive kernel modifications. We propose Donky, an efficient hardware-software codesign for strong in-process isolation based on dynamic memory protection domains. The two components of our design are a secure software framework and a non-intrusive hardware extension. We facilitate domain switches entirely in userspace, thus minimizing switching overhead as well as kernel complexity. We show the versatility of Donky in three realistic use cases, secure V8 sandboxing, software vaults, and untrusted third-party libraries. We provide an open-source implementation on a RISC-V Ariane CPU and an Intel-MPK-based emulation mode for x86. We evaluate the security and performance of our implementation for RISC-V synthesized on an FPGA. We also evaluate the performance on x86 and show why our new design is more secure than Intel MPK. Donky does not impede the runtime of in-domain computation. Cross-domain switches are 16–116x faster than regular process context switches. Fully protecting the mbedTLS cryptographic operations has a 4 % overhead.

[1]  Sorin Lerner,et al.  Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version) , 2020, USENIX Security Symposium.

[2]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[3]  Soyeon Park,et al.  libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK) , 2019, USENIX Annual Technical Conference.

[4]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[5]  Koen De Bosschere,et al.  Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[6]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[7]  Flavio D. Garcia,et al.  Plundervolt: Software-based Fault Injection Attacks against Intel SGX , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[8]  Zhenkai Liang,et al.  Identifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software , 2015, ESORICS.

[9]  Jun Wang,et al.  Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications , 2013, USENIX Annual Technical Conference.

[10]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[11]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[12]  Long Lu,et al.  Shreds: Fine-Grained Execution Units with Private Memory , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[13]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[14]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[15]  Periklis Akritidis,et al.  FRAMER: a tagged-pointer capability system with memory safety applications , 2019, ACSAC.

[16]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[17]  Peter G. Neumann,et al.  Fast Protection-Domain Crossing in the CHERI Capability-System Architecture , 2016, IEEE Micro.

[18]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[19]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[20]  Peter Druschel,et al.  Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[21]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[22]  Liang Deng,et al.  ISboxing: An Instruction Substitution Based Data Sandboxing for x86 Untrusted Libraries , 2015, SEC.

[23]  Frank Piessens,et al.  A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes , 2019, CCS.

[24]  Srinivas Devadas,et al.  DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[25]  Frank Piessens,et al.  Salus: Kernel Support for Secure Process Compartments , 2015, EAI Endorsed Trans. Security Safety.

[26]  Charles Reis,et al.  Site Isolation: Process Separation for Web Sites within the Browser , 2019, USENIX Security Symposium.

[27]  Krste Asanovic,et al.  The RISC-V Instruction Set Manual Volume 2: Privileged Architecture Version 1.7 , 2015 .

[28]  Todd M. Austin,et al.  Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[29]  Samuel Weiser,et al.  SGXJail: Defeating Enclave Malware via Confinement , 2019, RAID.

[30]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[31]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[32]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[33]  Daniel Martin,et al.  TrustZone Explained: Architectural Features and Use Cases , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[34]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[35]  Luca Benini,et al.  The Cost of Application-Class Processing: Energy and Performance Analysis of a Linux-Ready 1.7-GHz 64-Bit RISC-V Core in 22-nm FDSOI Technology , 2019, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[36]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[37]  Brent Byunghoon Kang,et al.  Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 , 2018, CCS.

[38]  Jonathan M. Smith,et al.  BreakApp: Automated, Flexible Application Compartmentalization , 2018, NDSS.

[39]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[40]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[41]  Gernot Heiser,et al.  A survey of microarchitectural timing attacks and countermeasures on contemporary hardware , 2016, Journal of Cryptographic Engineering.

[42]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[43]  Johannes Götzfried,et al.  Sancus 2.0 , 2017, ACM Trans. Priv. Secur..

[44]  Carlos V. Rozas,et al.  Intel® Software Guard Extensions (Intel® SGX) Support for Dynamic Memory Management Inside an Enclave , 2016, HASP 2016.

[45]  Christopher Krügel,et al.  BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments , 2017, NDSS.

[46]  Yutao Liu,et al.  Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation , 2015, CCS.

[47]  Ahmad-Reza Sadeghi,et al.  IMIX: In-Process Memory Isolation EXtension , 2018, USENIX Security Symposium.

[48]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[49]  David A. Wheeler Preventing Heartbleed , 2014, Computer.

[50]  Mauro Conti,et al.  The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX , 2018, USENIX Security Symposium.

[51]  Jonathan M. Smith,et al.  Towards Fine-grained, Automated Application Compartmentalization , 2017, PLOS@SOSP.

[52]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[53]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[54]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[55]  Samuel Weiser,et al.  Practical Enclave Malware with Intel SGX , 2019, DIMVA.

[56]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[57]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[58]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[59]  Muli Ben-Yehuda,et al.  CODOMs: Protecting software with Code-centric memory Domains , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[60]  Mario Werner,et al.  ScatterCache: Thwarting Cache Attacks via Cache Set Randomization , 2019, USENIX Security Symposium.

[61]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[62]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[63]  Ashay Rane,et al.  MicroStache: A Lightweight Execution Context for In-Process Safe Region Isolation , 2018, RAID.

[64]  Michael J. Freedman,et al.  EnclaveDom: Privilege Separation for Large-TCB Applications in Trusted Execution Environments , 2019, ArXiv.

[65]  Dawn Xiaodong Song,et al.  Keystone: A Framework for Architecting TEEs , 2019, ArXiv.

[66]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[67]  Patrick Th. Eugster,et al.  Enforcing Least Privilege Memory Views for Multithreaded Applications , 2016, CCS.

[68]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .