Dancing With Wolves: An Intra-Process Isolation Technique With Privileged Hardware

Chenggang Wu, Mengyao Xie, Zhe Wang, Yinqian Zhang, Kangjie Lu, Xiaofeng Zhang, Yuanming Lai, Yan Kang, Min Yang, Tao Li

Research output: Contribution to journalArticlepeer-review

2 Scopus citations

Abstract

Intra-process memory isolation is a cornerstone technique of protecting the sensitive data in memory-corruption defenses, such as the shadow stack in control flow integrity (CFI) and the safe region in code pointer integrity (CPI). In this article, we propose SEIMI, a highly efficient intra-process memory isolation technique for memory-corruption defenses. The core is to use the efficient Supervisor-mode Access Prevention (SMAP), a hardware feature that is originally used for preventing the kernel from accessing the user space, to achieve intra-process memory isolation. To leverage SMAP, SEIMI creatively executes the user code in the privileged mode. In addition to enabling the new design of the SMAP-based memory isolation, we further develop multiple new techniques to ensure secure escalation of user code. Extensive experiments show that SEIMI outperforms existing isolation mechanisms, including the Memory Protection Keys (MPK) based scheme and the Memory Protection Extensions (MPX) based scheme.

Original languageEnglish (US)
Pages (from-to)1959-1978
Number of pages20
JournalIEEE Transactions on Dependable and Secure Computing
Volume20
Issue number3
DOIs
StatePublished - May 1 2023

Bibliographical note

Publisher Copyright:
IEEE

Keywords

  • Intel supervisor-mode access prevention
  • Intra-process memory isolation

Fingerprint

Dive into the research topics of 'Dancing With Wolves: An Intra-Process Isolation Technique With Privileged Hardware'. Together they form a unique fingerprint.

Cite this