ERIM: Secure and Efficient In-process Isolation with Memory Protection Keys

Many applications can benefit from isolating sensitive data in a secure library. Examples include protecting cryptographic keys behind a narrow crypto API to defend against vulnerabilities like OpenSSL's Heartbleed bug. When such a library is called relatively infrequently, page-based hardware isolation can be used, because the cost of kernel-mediated or hypervisor-mediated domain switching is tolerable. However, some applications, such as isolating session keys in a web server or isolating the safe region with code pointers in code-pointer integrity (CPI), require very frequent switching. In such applications, the overheads of kernel-based or hypervisor-mediated domain switching are prohibitively high. In this paper, we present ERIM, a novel technique that provides the security of hardware-enforced isolation with low overhead, even at high switching rates (ERIM supports up to 100,000 switches per CPU core a second with an overhead less than 0.5%). The key idea is to combine memory protection keys (MPKs), a feature recently added to Intel CPUs that allows isolation purely in userspace, with kernel binary inspection to prevent circumvention. We show how to apply ERIM to isolate frequently accessed session keys (not just long-term keys) in nginx, a high performance web server, and how to isolate sensitive data in CPI. Our measurements indicate only a small degradation in performance, even with very high rates of switching between the untrusted application and the secure library.