ERIM: Secure and Efficient In-process Isolation with Memory Protection Keys

Many applications can benefit from isolating sensitive data in a secure library. Examples include protecting cryptographic keys behind a narrow crypto API to defend against vulnerabilities like OpenSSL's Heartbleed bug. When such a library is called relatively infrequently, page-based hardware isolation can be used, because the cost of kernel-mediated or hypervisor-mediated domain switching is tolerable. However, some applications, such as isolating session keys in a web server or isolating the safe region in code-pointer integrity (CPI), require very frequent switching. In such applications, the overhead of kernel-based or hypervisor-mediated domain switching is prohibitively high. In this paper, we present ERIM, a novel technique that provides hardware-enforced isolation with low overhead, even at high switching rates (ERIM's average overhead is less than 1% for 100,000 switches per second). The key idea is to combine memory protection keys (MPKs), a feature recently added to Intel CPUs that allows protection domain switches in userspace, with binary inspection to prevent circumvention. Our measurements indicate only a small degradation in performance, even with very high rates of switching between the untrusted application and the secure library.