You shall not (by) pass! practical, secure, and fast pku-based sandboxing
A Voulimeneas, J Vinck, R Mechelinck… - Proceedings of the …, 2022 - dl.acm.org
Memory Protection Keys for Userspace (PKU) is a recent hardware feature that allows
programs to assign virtual memory pages to protection domains, and to change domain …
programs to assign virtual memory pages to protection domains, and to change domain …
Assessing the impact of interface vulnerabilities in compartmentalized software
Least-privilege separation decomposes applications into compartments limited to accessing
only what they need. When compartmentalizing existing software, many approaches neglect …
only what they need. When compartmentalizing existing software, many approaches neglect …
Going beyond the limits of sfi: Flexible and secure hardware-assisted in-process isolation with hfi
We introduce Hardware-assisted Fault Isolation (HFI), a simple extension to existing
processors to support secure, flexible, and efficient in-process isolation. HFI addresses the …
processors to support secure, flexible, and efficient in-process isolation. HFI addresses the …
μSwitch: Fast Kernel Context Isolation with Implicit Context Switches
Isolating application components is crucial to limit the exposure of sensitive data and code to
vulnerabilities in the untrusted components. Process-based isolation is the de facto isolation …
vulnerabilities in the untrusted components. Process-based isolation is the de facto isolation …
Vdom: Fast and unlimited virtual domains on multiple architectures
Hardware memory domain primitives, such as Intel MPK and ARM Memory Domain, have
been used for efficient in-process memory isolation. However, they can only provide a …
been used for efficient in-process memory isolation. However, they can only provide a …
Isolating functions at the hardware limit with virtines
NC Wanninger, JJ Bowden, K Shetty, A Garg… - Proceedings of the …, 2022 - dl.acm.org
An important class of applications, including programs that leverage third-party libraries,
programs that use user-defined functions in databases, and serverless applications, benefit …
programs that use user-defined functions in databases, and serverless applications, benefit …
Rewind & Discard: Improving software resilience using isolated domains
Well-known defenses exist to detect and mitigate common faults and memory safety
vulnerabilities in software. Yet, many of these mitigations do not address the challenge of …
vulnerabilities in software. Yet, many of these mitigations do not address the challenge of …
System Call Interposition Without Compromise
Syscall interposition is crucial for tools that monitor/modify application behavior. Mainstream
OSes have, therefore, provided syscall interposition APIs for years, but these often incur …
OSes have, therefore, provided syscall interposition APIs for years, but these often incur …
LightZone: Lightweight Hardware-Assisted In-Process Isolation for ARM64
In-process isolation enforces the principle of least privilege for processes. With such
isolation, even if one part of the process is compromised, other parts within the same …
isolation, even if one part of the process is compromised, other parts within the same …
Whole-Program Privilege and Compartmentalization Analysis with the Object-Encapsulation Model
We present the object-encapsulation model, a low-level program representation and
analysis framework that exposes and quantifies privilege within a program. Successfully …
analysis framework that exposes and quantifies privilege within a program. Successfully …