Enhancing Application Security with Intel Memory Protection Keys

Table of Contents

1. Introduction
2. Understanding Isolation in Security
3. The Concept of Memory Protection Keys
4. The Role of Intel MPK in Isolation
5. The ERIM Paper and its Significance
   • Overview of ERIM
   • Motivating Applications for Isolation
   • The ERIM Threat Model
6. Implementation of ERIM
   • Call Gates and Trusted Domains
   • Avoiding Inadvertent WRPKRU Instructions
   • Runtime Overheads and Performance Evaluation
7. Use Case: Isolating Sensitive Data in Nginx
8. Comparison with Other Isolation Techniques
9. Summary and Conclusions

🚀 Secure and Efficient In-Process Isolation with Memory Protection Keys

Isolation is a fundamental security methodology that limits the effects of compromised code. In this article, we will explore a cutting-edge technique called ERIM (Efficient and Secure In-Process Isolation with Memory Protection Keys), which is based on Intel MPK (Memory Protection Keys). ERIM allows the creation of trusted partitions within an application, safeguarding sensitive data from potential attacks.

Introduction

Memory errors and corresponding exploits have long been a concern in computer security. Traditional approaches focused on detecting and defending against these errors. However, ERIM takes a different approach by assuming that attacks can happen and aims to limit their effects through isolation.

Understanding Isolation in Security

Isolation is a security methodology that assumes an attack has occurred or can occur. It involves working with vulnerable software and seeks to contain the effects of compromised code. By isolating critical security data from the rest of the application, ERIM aims to mitigate the impact of exploits.

The Concept of Memory Protection Keys

Memory Protection Keys (MPK) is a hardware technology developed by Intel. It allows grouping virtual pages of an application's address space using special tags called protection keys. These keys categorize pages into different domains, restricting their read and write permissions. MPK provides a new level of control over memory access, enabling efficient isolation of trusted and untrusted code.

The Role of Intel MPK in Isolation

Intel MPK offers new hardware primitives that form the foundation of ERIM. By assigning protection keys to memory pages, applications can be controlled and protected at the page level. However, additional work, such as the use of call gates and static binary rewriting, is required to build a complete security solution.

The ERIM Paper and its Significance

The ERIM paper, published in USENIX Security 2019, introduces a user-space library that implements the ERIM technique. It extends the capabilities of Intel MPK, providing lightweight isolation techniques and addressing the limitations of existing defenses. ERIM was awarded the Best Paper at USENIX Security 2019, showcasing its significance in the field.

Overview of ERIM

ERIM introduces the concept of call gates, which act as entry and exit points for switching between trusted and untrusted domains. These call gates utilize the WRPKRU instruction to set the permissions for accessing trusted partitions securely. Static binary inspection and rewriting techniques are employed to prevent unauthorized occurrences of WRPKRU instructions.

Motivating Applications for Isolation

ERIM finds applications in various scenarios, including isolating security-critical data in web servers, managing runtimes from native libraries, and protecting reference monitors. By incorporating ERIM's isolation technique, applications can ensure that sensitive data remains secure even when the overall system may be compromised.

The ERIM Threat Model

ERIM's threat model assumes that untrusted code can be controlled by an attacker and aims to protect critical data within the untrusted application. It leverages the trusted nature of the operating system and CPU, providing in-process isolation without requiring additional trusted components. ERIM resists attacks such as code injection and focuses on preventing unauthorized access to trusted compartments.

Implementation of ERIM

ERIM is implemented as a user-space library, providing the necessary tools and mechanisms for isolation. The call gates play a crucial role in enabling the transitions between trusted and untrusted code. The library includes a memory allocator that ensures trusted memory allocations, protecting sensitive data.

Avoiding Inadvertent WRPKRU Instructions

To avoid unauthorized occurrences of WRPKRU and XRSTORE instructions, static binary inspection and rewriting techniques are employed. By scanning and modifying the ELF binaries, ERIM ensures that these instructions only appear within the designated call gates, mitigating the risk of exploitation.

Runtime Overheads and Performance Evaluation

ERIM's performance is evaluated using real-world scenarios, with a particular focus on the Nginx web server. The evaluation demonstrates that ERIM introduces negligible runtime overhead, maintaining performance within 5% of native execution. Compared to other isolation techniques, ERIM proves to be highly efficient and capable of handling high loads.

Use Case: Isolating Sensitive Data in Nginx

Nginx, a widely used web server, serves as a use case for ERIM's isolation capabilities. By isolating session keys, including cryptographic functionality provided by OpenSSL, ERIM ensures that even if the web server is compromised, the session keys remain protected. This use case highlights the practical applications of ERIM in securing critical data.

Comparison with Other Isolation Techniques

ERIM's effectiveness is compared with other isolation techniques, such as Lightweight Contexts, Memsentry, VMFunk, and Native Performance. The evaluation showcases ERIM's superior performance and lower overhead compared to these techniques. ERIM provides an efficient and secure solution to address memory safety issues.

Summary and Conclusions

ERIM offers a cutting-edge approach to secure and efficient in-process isolation using Intel MPK. By leveraging protection keys, call gates, and static binary rewriting, ERIM provides robust protection against memory-based attacks. The evaluation demonstrates its effectiveness in practical use cases, such as safeguarding session keys in web servers. ERIM's lightweight and low-overhead approach sets it apart from other isolation techniques, making it a promising solution for enhancing application security.

Resources:

• ERIM Paper
• Nginx Web Server