Polytope: Practical Memory Access Control for C++ Applications

Designing and implementing secure software is inarguably more important than ever. However, despite years of research into privilege separating programs, it remains difficult to actually do so and such efforts can take years of labor-intensive engineering to reach fruition. At the same time, new intra-process isolation primitives make strong data isolation and privilege separation more attractive from a performance perspective. Yet, substituting intra-process security boundaries for time-tested process boundaries opens the door to subtle but devastating privilege leaks. In this work, we present Polytope, a language extension to C++ that aims to make efficient privilege separation accessible to a wider audience of developers. Polytope defines a policy language encoded as C++11 attributes that separate code and data into distinct program partitions. A modified Clang front-end embeds source-level policy as metadata nodes in the LLVM IR. An LLVM pass interprets embedded policy and instruments an IR with code to enforce the source-level policy using Intel MPK. A run-time support library manages partitions, protection keys, dynamic memory operations, and indirect call target privileges. An evaluation demonstrates that Polytope provides equivalent protection to prior systems with a low annotation burden and comparable performance overhead. Polytope also renders privilege leaks that contradict intended policy impossible to express.