Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM Architectures (Extended Version) (2309.11151v1)

Published 20 Sep 2023 in cs.CR

Abstract: In-process compartmentalization and access control have been actively explored to provide in-place and efficient isolation of in-process security domains. Many works have proposed compartmentalization schemes that leverage hardware features, most notably using the new page-based memory isolation feature called Protection Keys for Userspace (PKU) on x86. Unfortunately, the modern ARM architecture does not have an equivalent feature. Instead, newer ARM architectures introduced Pointer Authentication (PA) and Memory Tagging Extension (MTE), adapting the reference validation model for memory safety and runtime exploit mitigation. We argue that those features have been underexplored in the context of compartmentalization and that they can be retrofitted to implement a capability-based in-process access control scheme. This paper presents Capacity, a novel hardware-assisted intra-process access control design that embraces capability-based security principles. Capacity coherently incorporates the new hardware security features on ARM that already exhibit inherent characteristics of capability. It supports the life-cycle protection of the domain's sensitive objects -- starting from their import from the file system to their place in memory. With intra-process domains authenticated with unique PA keys, Capacity transforms file descriptors and memory pointers into cryptographically-authenticated references and completely mediates reference usage with its program instrumentation framework and an efficient system call monitor. We evaluate our Capacity-enabled NGINX web server prototype and other common applications in which sensitive resources are isolated into different domains. Our evaluation shows that Capacity incurs a low-performance overhead of approximately 17% for the single-threaded and 13.54% for the multi-threaded webserver.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (74)
  1. Apple. 2021. Apple Platform Security. https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf. Last accessed May 05 , 2021,.
  2. ARM Ltd. 2021. Arm Architecture Reference Manual Armv8, for Armv8-A architecture profile. https://developer.arm.com/documentation/ddi0487/ga. Last accessed Nov 18 , 2021,.
  3. ARM Ltd. 2022. Armv8-M Architecture Reference Manual. https://developer.arm.com/documentation/ddi0553/bs. Last accessed May 15 , 2022,.
  4. ARM Ltd. 2023. ARMv8.5-A Memory Tagging Extension. https://developer.arm.com/-/media/ArmDeveloperCommunity/PDF/Arm_Memory_Tagging_Extension_Whitepaper.pdf. Last accessed March 10 , 2022,.
  5. Hacking Blind. In 2014 IEEE Symposium on Security and Privacy. 227–242. https://doi.org/10.1109/SP.2014.22
  6. Wedge: Splitting Applications into Reduced-privilege Compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (San Francisco, California) (NSDI’08). USENIX Association, Berkeley, CA, USA, 309–322.
  7. David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (San Diego, CA) (SSYM’04). USENIX Association, Berkeley, CA, USA, 5–5.
  8. Shreds: Fine-Grained Execution Units with Private Memory. In 2016 IEEE Symposium on Security and Privacy (SP). 56–71.
  9. CHERI JNI: Sinking the Java Security Model into the C. SIGARCH Comput. Archit. News 45, 1 (apr 2017), 569–583. https://doi.org/10.1145/3093337.3037725
  10. ACES: Automatic Compartments for Embedded Systems. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 65–82.
  11. PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 1409–1426.
  12. CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-Time Environment. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (Providence, RI, USA) (ASPLOS ’19). Association for Computing Machinery, New York, NY, USA, 379–393. https://doi.org/10.1145/3297858.3304042
  13. Jack B. Dennis and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Commun. ACM 9, 3 (March 1966), 143–155.
  14. Gregory J. Duck and Roland H. C. Yap. 2016. Heap Bounds Protection with Low Fat Pointers (CC 2016). Association for Computing Machinery, New York, NY, USA, 132–142. https://doi.org/10.1145/2892208.2892212
  15. Eklektix. 2022. kasan: add hardware tag-based mode for arm64. https://lwn.net/Articles/831624/. Last accessed Jan 14 , 2022,.
  16. Inc. F5 Networks. 2023. Advanced Load Balancer, Web Server, & Reverse Proxy. https://www.nginx.com. Last accessed Jan 14 , 2022,.
  17. R. S. Fabry. 1974. Capability-Based Addressing. Commun. ACM 17, 7 (jul 1974), 403–412. https://doi.org/10.1145/361011.361070
  18. PTAuth: Temporal Memory Safety via Robust Points-to Authentication. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association.
  19. Rich Felker. 2022. musl libc. https://musl.libc.org.
  20. Free Software Foundation. 2023a. GNU Wget. https://www.gnu.org/software/wget. Last accessed Jan 14 , 2022,.
  21. OpenBSD Foundation. 2023b. OpenSSH. https://www.openssh.com. Last accessed Jan 14 , 2022,.
  22. The Apache Software Foundation. 2022. ab - Apache HTTP server benchmarking tool. https://httpd.apache.org/docs/2.4/programs/ab.html. Last accessed Jan 14 , 2022,.
  23. Vincenzo Frascino. 2020. Memory Tagging Extension (MTE) in AArch64 Linux. https://www.kernel.org/doc/html/latest/arm64/memory-tagging-extension.html. Last accessed March 10 , 2022,.
  24. Hodor: Intra-process isolation for high-throughput data plane libraries. In 2019 USENIX Annual Technical Conference (USENIXATC 19). 489–504.
  25. Intel Corporation. 2021. Intel® 64 and IA-32 Architectures Software Developer’s Manual. Number 325462-075US.
  26. Tightly Seal Your Sensitive Pointers with PACTight. https://doi.org/10.48550/ARXIV.2203.15121
  27. Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK. In 2022 2022 IEEE Symposium on Security and Privacy (SP) (SP). IEEE Computer Society, Los Alamitos, CA, USA, 473–488. https://doi.org/10.1109/SP46214.2022.00028
  28. Douglas Kilpatrick. 2003. Privman: A Library for Partitioning Applications.. In USENIX Annual Technical Conference, FREENIX Track (2003-09-03). USENIX, 273–284.
  29. PKRU-Safe: Automatically Locking down the Heap between Safe and Unsafe Languages. In Proceedings of the Seventeenth European Conference on Computer Systems (Rennes, France) (EuroSys ’22). Association for Computing Machinery, New York, NY, USA, 132–148. https://doi.org/10.1145/3492321.3519582
  30. SeL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (Big Sky, Montana, USA) (SOSP ’09). Association for Computing Machinery, New York, NY, USA, 207–220. https://doi.org/10.1145/1629575.1629596
  31. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 147–163.
  32. Low-Fat Pointers: Compact Encoding and Efficient Gate-Level Implementation of Fat Pointers for Spatial Safety and Capability-Based Security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS ’13). Association for Computing Machinery, New York, NY, USA, 721–732. https://doi.org/10.1145/2508859.2516713
  33. Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). Association for Computing Machinery, New York, NY, USA, 1441–1454.
  34. Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software. In Proceedings 2023 Network and Distributed System Security Symposium. NDSS.
  35. PACSan: Enforcing Memory Safety Based on ARM PA. https://doi.org/10.48550/ARXIV.2202.03950
  36. PACStack: an Authenticated Call Stack. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association.
  37. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 177–194.
  38. PtrSplit: Supporting General Pointers in Automatic Program Partitioning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). Association for Computing Machinery, New York, NY, USA, 2359–2371. https://doi.org/10.1145/3133956.3134066
  39. Arm Ltd. 2022. -mmemtag-stack, -mno-memtag-stack. https://developer.arm.com/documentation/100067/0612/armclang-Command-line-Options/-mmemtag-stack---mno-memtag-stack. Last accessed Jan 14 , 2022,.
  40. Asahi Linux. https://asahilinux.org. Last accessed March 08 , 2022,.
  41. CCFI: Cryptographically Enforced Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS ’15). Association for Computing Machinery, New York, NY, USA, 941–951.
  42. Preventing Kernel Hacks with HAKC. In Proceedings 2022 Network and Distributed System Security Symposium. NDSS, Vol. 22. 1–17.
  43. Caja: Safe active content in sanitized JavaScript. (June 7 2008).
  44. FRAMER: a tagged-pointer capability system with memory safety applications. In Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, San Juan, PR, USA, December 09-13, 2019, David Balenson (Ed.). ACM, 612–626. https://doi.org/10.1145/3359789.3359799
  45. Oracle. 2022. Using Application Data Integrity (ADI). https://docs.oracle.com/cd/E37838_01/html/E61059/gqajs.html. Last accessed March 02 , 2022,.
  46. DynPTA: Combining Static and Dynamic Analysis for Practical Selective Data Protection. In 2021 IEEE Symposium on Security and Privacy (SP). 1919–1937. https://doi.org/10.1109/SP40001.2021.00082
  47. μ𝜇\muitalic_μSwitch: Fast Kernel Context Isolation with Implicit Context Switches. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 2956–2973. https://doi.org/10.1109/SP46215.2023.10179284
  48. Massimiliano Poletto and Vivek Sarkar. 1999. Linear Scan Register Allocation. ACM Trans. Program. Lang. Syst. 21, 5 (sep 1999), 895–913. https://doi.org/10.1145/330249.330250
  49. FreeBSD Project. 2023. FreeBSD Manual Pages. https://www.freebsd.org/cgi/man.cgi?capsicum(4).
  50. LLVM Project. 2022a. [AArch64] - return address signing. https://reviews.llvm.org/D49793. Last accessed May 05 , 2022,.
  51. LLVM Project. 2022b. The LLVM Compiler Infrastructure. https://llvm.org. Last accessed Jan 14 , 2022,.
  52. OpenBSD Project. 2022c. LibreSSL. https://www.libressl.org. Last accessed Jan 14 , 2022,.
  53. QEMU. 2022. QEMU: A generic and open source machine emulator and virtualizer. https://www.qemu.org. Last accessed March 08 , 2022,.
  54. QUALCOMM TECHNOLOGIES, INC. 2017. Pointer authentication on ARMv8.3. https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf. Last accessed Nov 15 , 2021,.
  55. Red Hat. 2021. What is SELinux. https://www.redhat.com/en/topics/linux/what-is-selinux. Last accessed Apr 28 , 2021,.
  56. μ𝜇\muitalic_μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts. In 24th International Symposium on Research in Attacks, Intrusions and Defenses. 296–311.
  57. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 936–952. https://www.usenix.org/conference/usenixsecurity22/presentation/schrammel
  58. Donky: Domain Keys – Efficient In-Process Isolation for RISC-V and x86. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 1677–1694.
  59. Memory Tagging and how it improves C/C++ memory safety. https://doi.org/10.48550/ARXIV.1802.09517
  60. EROS: A Fast Capability System. In Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles (Charleston, South Carolina, USA) (SOSP ’99). Association for Computing Machinery, New York, NY, USA, 170–185.
  61. Uwe F. Mayer. 2017. Linux/Unix nbench. https://www.math.utah.edu/~mayer/linux/bmark.html. Last accessed March 08 , 2022,.
  62. ERIM: Secure, efficient in-process isolation with protection keys ( MPK). In 28th USENIX Security Symposium (USENIX Security 19). 1221–1238.
  63. Type-After-Type: Practical and Complete Type-Safe Memory Reuse. In Proceedings of the 34th Annual Computer Security Applications Conference (San Juan, PR, USA) (ACSAC ’18). Association for Computing Machinery, New York, NY, USA, 17–27. https://doi.org/10.1145/3274694.3274705
  64. J-Kernel: A Capability-Based Operating System for Java. Springer Berlin Heidelberg, Berlin, Heidelberg, 369–393. https://doi.org/10.1007/3-540-48749-2_17
  65. You Shall Not (by)Pass! Practical, Secure, and Fast PKU-Based Sandboxing. In Proceedings of the Seventeenth European Conference on Computer Systems (Rennes, France) (EuroSys ’22). Association for Computing Machinery, New York, NY, USA, 266–282. https://doi.org/10.1145/3492321.3519560
  66. Secure and Efficient In-Process Monitor (and Library) Protection with Intel MPK. In Proceedings of the 13th European Workshop on Systems Security (Heraklion, Greece) (EuroSec ’20). Association for Computing Machinery, New York, NY, USA, 7–12. https://doi.org/10.1145/3380786.3391398
  67. Seimi: Efficient and secure smap-enabled intra-process memory isolation. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 592–607.
  68. Capsicum: Practical Capabilities for UNIX. In 19th USENIX Security Symposium, Washington, DC, USA, August 11-13, 2010, Proceedings. USENIX Association, 29–46.
  69. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015. IEEE Computer Society, 20–37.
  70. TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V. In Proceedings 2019 - Network and Distributed System Security Symposium (NDSS). Internet Society. https://doi.org/10.14722/ndss.2019.23068
  71. The CHERI capability model: Revisiting RISC in an age of risk. In ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, Minneapolis, MN, USA, June 14-18, 2014. IEEE Computer Society, 457–468.
  72. In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication. https://doi.org/10.48550/ARXIV.2112.07213
  73. Capstone: A Capability-based Foundation for Trustless Secure Memory Access. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 787–804. https://www.usenix.org/conference/usenixsecurity23/presentation/yu-jason
  74. Hardware Enforcement of Application Security Policies Using Tagged Memory. In 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2008, December 8-10, 2008, San Diego, California, USA, Proceedings, Richard Draves and Robbert van Renesse (Eds.). USENIX Association, 225–240.
Citations (6)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now